Tivix/django-rest-auth

Password-validation: while register: avoid password and email being same

sant527 opened this issue · 4 comments

I am using django rest auth for registration. I am using email as login and the below are my settings

ACCOUNT_USER_MODEL_USERNAME_FIELD = None
ACCOUNT_EMAIL_REQUIRED = True
ACCOUNT_UNIQUE_EMAIL = True
ACCOUNT_USERNAME_REQUIRED = False
ACCOUNT_AUTHENTICATION_METHOD = 'email'
ACCOUNT_EMAIL_VERIFICATION = 'mandatory'
ACCOUNT_CONFIRM_EMAIL_ON_GET = True
ACCOUNT_EMAIL_CONFIRMATION_ANONYMOUS_REDIRECT_URL = 'http://localhost:3000/login'

I am trying the api end point rest-auth/registration/

Now if i pass email and password same, it does not raise password validaiton error.

these are my password validators:

AUTH_PASSWORD_VALIDATORS = [
    {
        'NAME': 'django.contrib.auth.password_validation.UserAttributeSimilarityValidator',
    },
    {
        'NAME': 'django.contrib.auth.password_validation.MinimumLengthValidator',
    },
    {
        'NAME': 'django.contrib.auth.password_validation.CommonPasswordValidator',
    },
    {
        'NAME': 'django.contrib.auth.password_validation.NumericPasswordValidator',
    },
]

How to ensure the password is not similar to email using dango rest auth

I've encountered the same issue and posted to StackOverflow here: https://stackoverflow.com/questions/66780291/how-is-the-userattributesimilarityvalidator-supposed-to-be-used-in-django. Unfortunately, though, at the time of writing, there are no answers.

The other three validators work beautifully, but for whatever reason, the first in OP's list, UserAttributeSimilarityValidator, is being ignored.

Here is my reposted question:

I am testing a REST API I wrote in Django, but this validator does not work as intended. I read the docs on this, but I need more than a description; I need a working example.

I have it defined in settings.py as is the default.

# my_app/settings.py

AUTH_PASSWORD_VALIDATORS = [
    {
        'NAME':
        'django.contrib.auth.password_validation.UserAttributeSimilarityValidator',
    },
    ...
]

However, when I run the test, I get an unexpected and undesired success.

# api/authentication/tests.py

body = {
    'username': 'frank',
    'email': 'frank@example.com',
    'password1': 'frank@example.com',
    'password2': 'frank@example.com',
}

response = self.client.post(url, body, format='json'))
self.assertEqual(response.status_code, status.HTTP_400_BAD_REQUEST)
> ./manage.py test
Creating test database for alias 'default'...
System check identified no issues (0 silenced).
F
======================================================================
FAIL: test_register (api.authentication.tests.AuthTests)
Ensure we can register a user and test for validation errors.
----------------------------------------------------------------------
Traceback (most recent call last):
  File "/home/matt/Repositories/my_app/back-end/api/authentication/tests.py", line 108, in case_password_has_email
    self.assertEqual(response.status_code, status.HTTP_400_BAD_REQUEST)
AssertionError: 201 != 400

----------------------------------------------------------------------
Ran 1 test in 0.275s

FAILED (failures=1)
Destroying test database for alias 'default'...

Am I missing the point of this validator? Am I just using it wrong? My intended behavior is for a 400 response to be sent with an error message, like the other validators allow for. How do I accomplish this?

Duplicate of #226

There's a patch here: PR #482

pip install git+https://github.com/dgilge/django-rest-auth@patch-2

thanks for this, i will check out the patch

Also note that this repo is not maintained, but another one is active: https://github.com/iMerica/dj-rest-auth

I opened a new issue there: iMerica/dj-rest-auth#240