Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Django AUTH_PASSWORD_VALIDATORS is not honored #240

Open
McCarthyCode opened this issue Mar 25, 2021 · 1 comment
Open

Django AUTH_PASSWORD_VALIDATORS is not honored #240

McCarthyCode opened this issue Mar 25, 2021 · 1 comment

Comments

@McCarthyCode
Copy link

McCarthyCode commented Mar 25, 2021
edited
Loading

This continues the conversation at Tivix/django-rest-auth#226 (from the old repo).

A PR (Tivix/django-rest-auth#482) was made, but didn't make it into the new repo. I propose that it gets added. I've tested the /rest-auth/registration/ endpoint using the default value of AUTH_PASSWORD_VALIDATORS in settings.py:

AUTH_PASSWORD_VALIDATORS = [
    {
        'NAME':
        'django.contrib.auth.password_validation.UserAttributeSimilarityValidator',
    },
    {
        'NAME':
        'django.contrib.auth.password_validation.MinimumLengthValidator',
    },
    {
        'NAME':
        'django.contrib.auth.password_validation.CommonPasswordValidator',
    },
    {
        'NAME':
        'django.contrib.auth.password_validation.NumericPasswordValidator',
    },
]

Originally, the first in the list, UserAttributeSimilarityValidator, wasn't getting checked, so I wrote some tests for it that check the following:

# identical username
body = {
    'username': 'harold123',
    'email': 'harold@example.com',
    'password1': 'harold123',
    'password2': 'harold123',
}

# identical email
body = {
    'username': 'isabelle',
    'email': 'isabelle@example.com',
    'password1': 'isabelle@example.com',
    'password2': 'isabelle@example.com',
}

# similar username
body = {
    'username': 'supercoolusername',
    'email': 'joshua@example.com',
    'password1': 'supercoolusername1',
    'password2': 'supercoolusername1',
}

# similar email
body = {
    'username': 'kelly',
    'email': 'kelly@example.com',
    'password1': 'kelly@example.com123',
    'password2': 'kelly@example.com123',
}

These all result in a HTTP_201_CREATED response using django_rest_auth and dj_rest_auth pip packages, when it should be HTTP_400_BAD_REQUEST. When I install with pip install git+https://github.com/dgilge/django-rest-auth@patch-2, the tests pass.
@McCarthyCode McCarthyCode mentioned this issue Mar 29, 2021
Open
@sunweiyang
Copy link

This is happening for me too. I'm aware that #277 exists and is merged, but my own testing shows that password validation is still not happening.

# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@McCarthyCode @sunweiyang