Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Enhance error message for not activated user

See original GitHub issue

Hi. Thanks for the djoser. I like it as it makes life easier unlike other packages.

There is one thing I have come across. I’d suggest to change a feedback message for a non-active user who tries to obtain jwt, because now it returns the following:

{
    "non_field_errors": [
        "Unable to log in with provided credentials."
    ]
}

How can I detect if user tried wrong credentials or user has not just activated his account yet?

Issue Analytics

State:
Created 6 years ago
Comments:9 (4 by maintainers)

Top GitHub Comments

4reactions

Kouffcommented, Sep 14, 2020

app/serializers.py :

from djoser.serializers import TokenCreateSerializer
from rest_framework.exceptions import ValidationError
from django.contrib.auth import authenticate
from djoser.conf import settings

class CustomTokenCreateSerializer(TokenCreateSerializer):
    def validate(self, attrs):
        password = attrs.get("password")
        params = {settings.LOGIN_FIELD: attrs.get(settings.LOGIN_FIELD)}
        self.user = authenticate(**params, password=password)
        if not self.user:
            self.user = User.objects.filter(**params).first()
            if self.user and not self.user.check_password(password):
                self.fail("invalid_credentials")
        if self.user and not self.user.is_active:
            raise ValidationError("user is not active") # message that the user is not active
        elif self.user and self.user.is_active:
            return attrs
        self.fail("invalid_credentials")

settings.py :

DJOSER = {
    ... ,
    'SERIALIZERS': {
        ... ,
        'token_create': 'app.serializers.CustomTokenCreateSerializer', # path to serializer
    },
}

2reactions

haxozacommented, Oct 17, 2017

Hi @igsm! Thanks for your feedback!

I understand that receiving a token just after activation (or just after registration in some cases) is very handy for API clients (frontend web apps or mobile apps). However there are two reasons we do not do that:

As you noticed we need to support a few API auth methods so it is very difficult do it in a very generic way. Especially there are DRF auth backends that are not based on any type of token, like basic auth or session. Also JWT differs from DRF auth_token method.
We believe that one endpoint should do one thing correctly and in a secure way. That’s why we love to think about endpoints as they are orthogonal actions.

Now, knowing the above if you really need authenticating users in your flow after activation then we suggest to override ActivationView and generate JWT token to response on successful activation in a manual way.

@piotr-szpetkowski On the other hand I believe we can do the above customization easier in the future by utilizing custom serializers. ActivationView does not care about self.serializer.data but if it would care about that then the customization would be straightforward.