Django - user cannot login after password rest via rest api-CodePudding

I've created a custom user model as described in the django documentation https://docs.djangoproject.com/en/4.1/topics/auth/customizing/#using-a-custom-user-model-when-starting-a-project :

from django.contrib.auth.models import AbstractUser

class CustomUser(AbstractUser):
    pass

Changed the AUTH_USER_MODEL in settings.py:

AUTH_USER_MODEL = 'users.CustomUser'

and created a serializer using django rest-framework:

from rest_framework import serializers
from users.models import CustomUser


    class CustomUserSerializer(serializers.ModelSerializer):
    
        def create(self, validated_data):
            user = super().create(validated_data)
            # user = CustomUser.objects.create_user(**validated_data)
            if validated_data.get('password'):
                password = validated_data.get('password')
                user.set_password('password')
                print("set password to ", password)
            user.save()
            return user
    
        def update(self, instance, validated_data):
            
            if validated_data.get('password'):
                password = validated_data.get('password')
                instance.set_password('password')
            
            instance.first_name = validated_data.get('first_name', instance.first_name)
            instance.last_name = validated_data.get('last_name', instance.last_name)
            instance.email = validated_data.get('email', instance.email)
    
            instance.save()
            return instance
    
    
    
        class Meta:
            model = CustomUser 
            exclude = ['last_login', 'is_superuser', 'is_staff', 'is_active', 'date_joined', 'groups', 'user_permissions']

Creating a new user and updating it via rest works fine. But I cannot login with that user and the given password. I've tried it via the api authentication given by the rest framework

path('api-auth/', include('rest_framework.urls')),

as well as tried to login into the admin backend after giving the user staff status there.

The password string displayed in the admin interface for that user seems to be fine:

algorithm: pbkdf2_sha256 iterations: 390000 salt: 2DrB5n**************** hash: eflTzs**************************************

It seems, that calling set_password on the instance within the serializer methods works. However, no login possible with that password. But when I update the user's password in the admin panel with the standard django password update form, login works perfectly.

When I compare the password hash created by set_password and the django password update form, they look similar. (salt and hash are not the same, off course)

What could cause the issue?

CodePudding user response：

Ok, so I see in your update and create functions that despite getting the password from the validated data you're setting the password for each user as the literal string "password", so everyone's password is going to be "password" and that may be the issue unless it's intentional.

def update(self, instance, validated_data):
    if validated_data.get('password'):
        password = validated_data.get('password')
        instance.set_password('password')
        # So instead of the above you should do:
        instance.set_password(password)
        # Same with the create method
            
        instance.first_name = validated_data.get('first_name', instance.first_name)
        instance.last_name = validated_data.get('last_name', instance.last_name)
        instance.email = validated_data.get('email', instance.email)
    
        instance.save()
        return instance