The Django API is powering a single-page app, so while there are tokens
instead of sessions, from the user point of view there is an explicit login
process to grab a signed token. I wanted to hook to the corresponding
signal to log these login events. It's probably better if I do it inside my
Are you sure you need to depend on users "logging in" through an API? Most
authentication methods used in APIs are stateless and there is no explicit
login and logout process. You either include the credentials (be it bearer
token, auth header, custom data or whatever) or not. The credentials
You are right. I was confusing the login view with the login method. The
more concrete problem was that Django REST framework calls authenticate
directly and user_login_failed is sent but never user_logged_in. I realize
though that some of the authentication methods provided by an API don't
On Thursday, January 12, 2017 at 11:16:01 PM UTC+1, Federico Bond wrote:
>
> Since backends may call authenticate directly without going through login,
> perhaps it would be best to move the user_login_failed to `login` and let
> custom backends implement both signals manually if they need