I've created a custom user model as described in the django documentation https://docs.djangoproject.com/en/4.1/topics/auth/customizing/#using-a-custom-user-model-when-starting-a-project :
from django.contrib.auth.models import AbstractUser
class CustomUser(AbstractUser):
pass
Changed the AUTH_USER_MODEL in settings.py:
AUTH_USER_MODEL = 'users.CustomUser'
and created a serializer using django rest-framework:
from rest_framework import serializers
from users.models import CustomUser
class CustomUserSerializer(serializers.ModelSerializer):
def create(self, validated_data):
user = super().create(validated_data)
# user = CustomUser.objects.create_user(**validated_data)
if validated_data.get('password'):
password = validated_data.get('password')
user.set_password('password')
print("set password to ", password)
user.save()
return user
def update(self, instance, validated_data):
if validated_data.get('password'):
password = validated_data.get('password')
instance.set_password('password')
instance.first_name = validated_data.get('first_name', instance.first_name)
instance.last_name = validated_data.get('last_name', instance.last_name)
instance.email = validated_data.get('email', instance.email)
instance.save()
return instance
class Meta:
model = CustomUser
exclude = ['last_login', 'is_superuser', 'is_staff', 'is_active', 'date_joined', 'groups', 'user_permissions']
Creating a new user and updating it via rest works fine. But I cannot login with that user and the given password. I've tried it via the api authentication given by the rest framework
path('api-auth/', include('rest_framework.urls')),
as well as tried to login into the admin backend after giving the user staff status there.
The password string displayed in the admin interface for that user seems to be fine:
algorithm: pbkdf2_sha256 iterations: 390000 salt: 2DrB5n**************** hash: eflTzs**************************************
It seems, that calling set_password on the instance within the serializer methods works. However, no login possible with that password. But when I update the user's password in the admin panel with the standard django password update form, login works perfectly.
When I compare the password hash created by set_password and the django password update form, they look similar. (salt and hash are not the same, off course)
What could cause the issue?
CodePudding user response:
Ok, so I see in your update and create functions that despite getting the password from the validated data you're setting the password for each user as the literal string "password", so everyone's password is going to be "password" and that may be the issue unless it's intentional.
def update(self, instance, validated_data):
if validated_data.get('password'):
password = validated_data.get('password')
instance.set_password('password')
# So instead of the above you should do:
instance.set_password(password)
# Same with the create method
instance.first_name = validated_data.get('first_name', instance.first_name)
instance.last_name = validated_data.get('last_name', instance.last_name)
instance.email = validated_data.get('email', instance.email)
instance.save()
return instance