Reputation: 13
Django - auth user with the email domain and no password
I have a request to alter a standard Django login of email and password to allow any user login without a password, but only if they are on a certain domain ... e.g. [email protected] ... where the user is allowed in due to them being on the correct domain.
Any suggestions?
Upvotes: 1
Views: 778
Answers (3)
Reputation: 12195
Assuming that 'being on the correct domain' means they have an email address for the relevant domain, you could write a custom authentication backend that
- looks to check that there is a single user with that email address (and not more than one, which will also mean updating registration flows to ensure email addresses are guaranteed unique, plus possibly checking your DB for duplicates already, just in case)
- gets that User and splits off the domain of their email address to check it against a list/whatever of allowed no-password-required domains
- return the User from your custom auth backend as if the normal password check had been satisfied, even though it was never checked with check_password(). The Django docs and various djangosnippets.org snippets show how to do this.
In addition:
- you will have to use a new/overridden authentication Form class for the admin login view that doesn't require a password field (but still shows it for non-special logins), so that it doesn't complain if there is no password entered.
And finally:
- get religion, if you don't already have it
- pray to your G/god(s) that no one else learns that the site that will allow no-password authentication with an email address, and especially that they don't also get hold of the email address(es) in question, particularly if your site holds ANY personal data about third parties or has to be PCI-DSS compliant etc, etc.
- strongly consider saying 'No' to your client/user/manager/whoever requested this, for the reason immediately above. Passwords are used for a reason.
Or, finally, finally:
- skip all of the above and tell your client/user/manager about some of the various password storage tools out there - eg this and this
Upvotes: 5
Reputation: 473
Somehow like this:
if cleaned_data['email'].endswith('@example.com'):
user = None
try:
user = User.objects.get(email = cleaned_data['email'])
except:
pass
if user:
login(request, user)
Your concept allows everyone knowing or guessing one of the affected email-addresses to login without using a password!
Best regards!
Upvotes: 0
Reputation: 74675
If your user has an openid with the email [email protected] then you can use an OpenId solution (say Django-openid; there are others too) to verify his identity and allow him access.
If that is unlikely, then you'll need to find a custom way of ensuring that the user is who he claims to be.
Upvotes: 1
Related Questions
- django authentication model - login with emailed link?
- Django auth.user with unique email
- Django User Login via Email & Password
- Accepting email address as username in Django
- Login with Email and Password in Django
- Django login using email
- user authentication by email and password from database in django
- Authenticating a Django user with email
- Authenticate user using email and password
- User registration and authentication by e-mail address instead of username