0

I am writing a custom authentication backend (and a custom user model) to check if a user account is locked or expired. I see that in all the examples of authentication backend return value is either a User object or None. And the only exception generated is User.DoesNotExist.

My question is how should I go about returning different results (e.g. account is locked or expired or max number of login attempts have reached)?

Should I raise custom exceptions or there is another way to do this?

I am using Django 1.5alpha.

EDIT: I need to get multiple statuses to display appropriate message to a user and redirect to an appropriate view.

maulik13
  • 3,656
  • 1
  • 25
  • 36

2 Answers2

1

As noted in the docs:

Either way, authenticate should check the credentials it gets, and it should return a User object that matches those credentials, if the credentials are valid. If they're not valid, it should return None.

An account that is locked, expired, or has reached its max number of login attempts would be considered "invalid", and so None should be returned for those conditions.

Basically, None should be returned whenever a login should be denied access (for whatever reason).

mipadi
  • 398,885
  • 90
  • 523
  • 479
  • Thanks. That was helpful to know. But I still require multiple statuses from Authenticate method to display appropriate message and a view. I edited my question with this info. – maulik13 Nov 07 '12 at 22:05
1

I ended up doing this in case anyone has the same question. 

class UserNotActivatedError(Exception):
    pass

class UserLockedError(Exception):
    def __init__(self, remaining_mins):
        self.remaining_mins = remaining_mins

# backend
def authenticate(self, email=None, password=None):
    if email is None or password is None:
        return None
    try:
        user = ExtUser.objects.get(email=email)
        user.last_login_attempt_at = timezone.now()
        if not use.is_active:
            raise UserNotActivatedError
        if user.is_locked:
            # Check when it was locked and found the duration
            sec_to_go = user.get_remaining_locktime()
            if sec_to_go:
                raise UserLockedError(sec_to_go)
        if user.check_password(password):
            user.last_login_at = timezone.now() 
            return user
        else:
            return None
    except User.DoesNotExist:
        return None

Then in the login form you can catch these errors and pass on appropriate validation errors to the view.

maulik13
  • 3,656
  • 1
  • 25
  • 36