## Steps to reproduce
When sign-up is completed,
I don’t want to show hashed password to user
# views.py
class UserSignup(generics.CreateAPIView):
serializer_class = CustomUserSerializer
def create(self, request, *args, **kwargs):
serializer = self.get_serializer(data=request.data)
serializer.is_valid(raise_exception=True)
self.perform_create(serializer)
headers = self.get_success_headers(serializer.data)
return Response(
serializer.data,
status=status.HTTP_201_CREATED,
headers=headers
)
# serializers.py
class CustomUserSerializer(serializers.ModelSerializer):
class Meta:
model = CustomUser
fields = 'name', 'email', 'password'
def validate(self, attrs):
password = attrs['password']
if len(password) < 9:
raise serializers.ValidationError("password is too short.")
return attrs
def create(self, validated_data):
ModelClass = self.Meta.model
instance = ModelClass.objects.create_user(**validated_data)
return instance
## Expected behavior
{
"ID": "sol13",
"password": "inputed password" (or Null..)
}
## Actual behavior
but
{
"ID": "sol13",
"password":
"pbkdf2_sha256$30000$irJGEMqdM7Z2$fvyAw63kC2SQ3qKJ+RZ8MAGxbjhBThTQvyYldrBRguw="
}
Even if there is no security problem..
The hashed password is meaningless value.
Why is it showing a hashed password?
of course i know how to remove password at response .
by manipulating returndict..
another way, i can use a serializer with fields without a password,
but it will not be validated, so additional manipulation is required.
Why is not it the default setting to hide the (hashed) 'password' field of
AbstractBaseUser?
--
You received this message because you are subscribed to the Google Groups
"Django REST framework" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
