Commit 9bef4e62 authored by David Seaward's avatar David Seaward

only authenticate valid, existing usernames

(existing usernames that are invalid will not authenticate)
parent 828b3379
......@@ -28,9 +28,12 @@ SECRET_KEY = secret_config("DJANGO_SECRET_KEY")
# SECURITY WARNING: don't run with debug turned on in production!
DEBUG = config("DEBUG", cast=bool)
# it is safe to use these flags in production
DEBUG_ALL_ACCESS = config("DEBUG_ALL_ACCESS", cast=bool)
DEBUG_CHANGE_PASSWORD = config("DEBUG_CHANGE_PASSWORD", cast=bool)
DEBUG_SKIP_ACTIVATION_COMMAND = config("DEBUG_SKIP_ACTIVATION_COMMAND", cast=bool)
DEBUG_SKIP_VALIDATE_ON_AUTHENTICATION = config("DEBUG_SKIP_VALIDATE_ON_AUTHENTICATION", cast=bool)
# Required if DEBUG is False
ALLOWED_HOSTS = config("ALLOWED_HOSTS", cast=Csv())
......
......@@ -6,7 +6,7 @@ from django.utils.translation import ugettext_lazy as _
from django_auth_ldap.backend import LDAPBackend as BaseBackend
from woocommerce import API as WOOCOMMERCE_API
from .models import User
from .models import User, UsernameValidator
log = logging.getLogger(__name__)
......@@ -56,14 +56,20 @@ class AuthenticationBackend(BaseBackend):
user_model = User
normalized_username = user_model.normalize_username(username)
# first attempt LDAP authentication (with early exit)
# first, validate username (even if it exists, username must be valid)
if not settings.DEBUG_SKIP_VALIDATE_ON_AUTHENTICATION:
validator = UsernameValidator()
validator(username)
# second, attempt LDAP authentication (with early exit on success)
user = super(AuthenticationBackend, self).authenticate(request, normalized_username, password, **kwargs)
if user is not None:
return user
# secondly attempt WooCommerce/JWT authentication
# third, attempt WooCommerce/JWT authentication
# (if successful, create and return LDAP user, otherwise return None)
if self.is_valid_jwt(normalized_username, password):
......@@ -76,8 +82,6 @@ class AuthenticationBackend(BaseBackend):
else:
return None
# TODO: also validate, so that existing but invalid usernames are not permitted?
class PassphraseValidator(BaseValidator):
# TODO: bundle in all the other validators from django.contrib.auth.password_validation
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment