Django authentication failing with a 403 with no detailed message

Question

I have something pretty simple which I've thrown together. I have a little form like this:

<form id="loginForm" action>
    <input name="email_address" type="text" placeholder="Email">
    <input name="password" type="password">
    <a id="loginButton">Login</a>
</form>

My JavaScript does the following:

$("#loginButton").click(function(){
    $.post("/login/",$("#loginForm").serialize(), function(data) {
        console.log("login.");
    });
});

I've written a custom Django authentication backend:

from my.custom.project.models import User

class MyBackend:

    def authenticate(self, email_address=None, password=None):
        print "Trying to auth"
        try:
            return User.objects.get(email_address=email_address, password=password)
        except User.DoesNotExist:
            return None

    def get_user(self, user_id):
        try:
            return User.objects.get(pk=user_id)
        except User.DoesNotExist:
            return None

I have this configured in my settings.py like so:

AUTHENTICATION_BACKENDS = (
    "my.custom.project.auth.MyBackend",
)

In my actual view for the /login/ path, here's what I have:

from django.contrib import auth

def login(request):
    print "Trying to auth..."
    email_address = request.POST['email_address']
    password = request.POST['password']

    user = auth.authenticate(email_address=email_address, password=password)

    if user != None:
        auth.login(request, user)

    direct_to_template(request, "my/login/template.json")

Here's my URL map:

from django.conf.urls.defaults import * 
from django.contrib import admin
from django.contrib.staticfiles.urls import staticfiles_urlpatterns

admin.autodiscover()

urlpatterns = staticfiles_urlpatterns

urlpatterns += patterns('',
    (r'^admin/', include(admin.site.urls)),
    (r'^admin/doc', include('django.contrib.admindocs.urls')),
)

urlpatterns += patterns('my.project.views',
    (r'^$', 'root'),
    (r'^login/?$', 'login'),
    (r'^logout/?$', 'logout'),
)

Can anyone see what I'm doing wrong here? All I get in the Django server output is:

[16/Sep/2011 20:17:47] "POST /login/ HTTP/1.1" 403 2326

Am I taking crazy pills? What did I overlook?

Answer 1

It was all because of Django's built-in CSRF system: https://docs.djangoproject.com/en/dev/ref/contrib/csrf/

Answer 2

Also, the line:

return User.objects.get(email_address=email_address, password=password)

implies that the User record stores the password as-is, in plaintext. Whereas, in fact, it stores a salted hash of the password, so you might need to implement all that functionality yourself.

Answer 3

Well, one thing you do is

from django.contrib.auth import authenticate,login,logout

and then redefine login

def login(request):

and then call the other one again, which is not reachable anymore (overwritten by your own login function).

login(request, user)

Not sure though if that’s causing the error though.