Password-validation: while register: avoid password and email being same
sant527 opened this issue · 4 comments
I am using django rest auth for registration. I am using email as login and the below are my settings
ACCOUNT_USER_MODEL_USERNAME_FIELD = None
ACCOUNT_EMAIL_REQUIRED = True
ACCOUNT_UNIQUE_EMAIL = True
ACCOUNT_USERNAME_REQUIRED = False
ACCOUNT_AUTHENTICATION_METHOD = 'email'
ACCOUNT_EMAIL_VERIFICATION = 'mandatory'
ACCOUNT_CONFIRM_EMAIL_ON_GET = True
ACCOUNT_EMAIL_CONFIRMATION_ANONYMOUS_REDIRECT_URL = 'http://localhost:3000/login'
I am trying the api end point rest-auth/registration/
Now if i pass email
and password
same, it does not raise password validaiton error.
these are my password validators:
AUTH_PASSWORD_VALIDATORS = [
{
'NAME': 'django.contrib.auth.password_validation.UserAttributeSimilarityValidator',
},
{
'NAME': 'django.contrib.auth.password_validation.MinimumLengthValidator',
},
{
'NAME': 'django.contrib.auth.password_validation.CommonPasswordValidator',
},
{
'NAME': 'django.contrib.auth.password_validation.NumericPasswordValidator',
},
]
How to ensure the password is not similar to email using dango rest auth
I've encountered the same issue and posted to StackOverflow here: https://stackoverflow.com/questions/66780291/how-is-the-userattributesimilarityvalidator-supposed-to-be-used-in-django. Unfortunately, though, at the time of writing, there are no answers.
The other three validators work beautifully, but for whatever reason, the first in OP's list, UserAttributeSimilarityValidator
, is being ignored.
Here is my reposted question:
I am testing a REST API I wrote in Django, but this validator does not work as intended. I read the docs on this, but I need more than a description; I need a working example.
I have it defined in settings.py as is the default.
# my_app/settings.py
AUTH_PASSWORD_VALIDATORS = [
{
'NAME':
'django.contrib.auth.password_validation.UserAttributeSimilarityValidator',
},
...
]
However, when I run the test, I get an unexpected and undesired success.
# api/authentication/tests.py
body = {
'username': 'frank',
'email': 'frank@example.com',
'password1': 'frank@example.com',
'password2': 'frank@example.com',
}
response = self.client.post(url, body, format='json'))
self.assertEqual(response.status_code, status.HTTP_400_BAD_REQUEST)
> ./manage.py test
Creating test database for alias 'default'...
System check identified no issues (0 silenced).
F
======================================================================
FAIL: test_register (api.authentication.tests.AuthTests)
Ensure we can register a user and test for validation errors.
----------------------------------------------------------------------
Traceback (most recent call last):
File "/home/matt/Repositories/my_app/back-end/api/authentication/tests.py", line 108, in case_password_has_email
self.assertEqual(response.status_code, status.HTTP_400_BAD_REQUEST)
AssertionError: 201 != 400
----------------------------------------------------------------------
Ran 1 test in 0.275s
FAILED (failures=1)
Destroying test database for alias 'default'...
Am I missing the point of this validator? Am I just using it wrong? My intended behavior is for a 400 response to be sent with an error message, like the other validators allow for. How do I accomplish this?
thanks for this, i will check out the patch
Also note that this repo is not maintained, but another one is active: https://github.com/iMerica/dj-rest-auth
I opened a new issue there: iMerica/dj-rest-auth#240