Django is not upgrading passwords

Question

I am using Bcrypt_SHA256 for new users, but there are some user accounts in an older system that I have to import that are using PBKDF_SHA256. According to the docs the passwords should get upgraded on login.

I have a custom authentication function, and when I call it on a legacy account the password does not get upgraded?

@classmethod
def authenticate(cls, app, email, password):
    app_user = cls.find_by_email(app, email)

    # User not found
    if not app_user:
        return

    # User found but password incorrect
    if not hashers.check_password(password, app_user.password):
        app_user.failed_logins_count += 1
        app_user.save()
        return

    # Failed login count should be reset to 0 on successful login
    app_user.failed_logins_count = 0
    app_user.save()
    return app_user

Here are my settings:

PASSWORD_HASHERS = (
    'django.contrib.auth.hashers.BCryptSHA256PasswordHasher',
    'django.contrib.auth.hashers.BCryptPasswordHasher',
    'django.contrib.auth.hashers.PBKDF2PasswordHasher',
    'django.contrib.auth.hashers.PBKDF2SHA1PasswordHasher',
    'django.contrib.auth.hashers.SHA1PasswordHasher',
    'django.contrib.auth.hashers.MD5PasswordHasher',
    'django.contrib.auth.hashers.CryptPasswordHasher',
)

A user gets returned correctly, but the password doesn't change. Do I need to manually upgrade the password due to my custom function, as the docs aren;t clear there, or is something else wrong?

Answer 1

That's because you're calling hashers.check_password with no setter argument.

Why not call app_user.check_password directly on your User instance? It will plug the setter in for you.