#34565: Exception will be raised when settings.PASSWORD_HASHERS changes and the
check_password() method is called in an asynchronous context.
-------------------------------------+-------------------------------------
               Reporter:  Dingning   |          Owner:  nobody
                   Type:  Bug        |         Status:  assigned
              Component:             |        Version:  4.2
  contrib.auth                       |       Keywords:  async auth
               Severity:  Normal     |  check_password
           Triage Stage:             |      Has patch:  0
  Unreviewed                         |
    Needs documentation:  0          |    Needs tests:  0
Patch needs improvement:  0          |  Easy pickings:  0
                  UI/UX:  0          |
-------------------------------------+-------------------------------------
 When `settings.PASSWORD_HASHERS` is changed and `user.check_password()` is
 called in an async context, a `SynchronousOnlyOperation` exception may
 occur.

 The reason is that the check_password function will call the synchronous
 setter function to update the password field of the user table when the
 `settings.PASSWORD_HASHERS` is changed.


 == To reproduce the process:
 1. Start Django and create a user. Suppose the user's password is 123456.
 2. Close the server, modify `settings.PASSWORD_HASHERS`, for example,
 exchange the order of the first two Hashers. You can refer to
 `django.conf.global_settings.PASSWORD_HASHERS`.
 3. Start the server and call `user.check_password('123456')` in the
 asynchronous view.
 4. `SynchronousOnlyOperation` is raiesd.


 == Reference Code:

 {{{
 #!python
 from django.http import HttpResponse
 from django.contrib.auth import get_user_model


 async def test_check_password(request):
     user = await get_user_model().objects.aget(id=1)
     is_correct = user.check_password('123456')

     return HttpResponse(is_correct)
 }}}


 == Significance:
 1. When `settings.PASSWORD_HASHERS` changes, `check_password` and related
 functions can be called normally in an asynchronous environment.
 2. Lay the foundation for the future `django.contrib.auth` module to
 support native asynchrony.


 == Solution:
 Add `acheck_password` method, this method will call the async setter
 function to update the password field of the user table when the
 `settings.PASSWORD_HASHERS` is changed.


 == Demo
 I simply implemented the solution mentioned above and put it here for
 reference.
 https://github.com/HappyDingning/django/tree/acheck_password


 == Related discussions:
 https://forum.djangoproject.com/t/add-async-support-for-abstractbaseuser-
 check-password/20364

 Thanks to bigfootjon, carltongibson and UriahKingsley

-- 
Ticket URL: <https://code.djangoproject.com/ticket/34565>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/010701881bb7b1de-b06e5ea6-9ab1-4f6e-ac4b-ede5e8bca8a2-000000%40eu-central-1.amazonses.com.

Reply via email to