Any Possibility to put condition on Password Required in Django Custom Auth?

Question

I want the registered user to log in with the Email or PhoneNumber and the Password first. If the user forgot the Password then there should be the possibility to log in with OTP bypassing the Password which would be provided via SMS on the User Phone Number. So Is there any possibility to achieve that?

Here are official docs where the password field is always required. https://docs.djangoproject.com/en/4.0/topics/auth/customizing/#a-full-example I know we can change the username to the email or for a phone number if we want but how do we put the condition to login with Password/Random OTP. So how we can achieve that? a suggestion would be appreciated. Thanks

score 1 · Answer 1 · answered Jan 27 '22 at 17:11

Yes we can do that using forced login here is an example how i have did this please have a look i have a profile which is one to one relation with user

def login_otp(request):
    mobile = request.session['mobile']
    context = {'mobile':mobile}
    if request.method == 'POST':
        otp = request.POST.get('otp')
        profile = Profile.objects.filter(mobile=mobile).first()
        
        if otp == profile.otp:
            user = User.objects.get(id = profile.user.id)
            login(request , user)
            return redirect('cart')
        else:
            context = {'message' : 'Wrong OTP' , 'class' : 'danger','mobile':mobile }
            return render(request,'login_otp.html' , context)
    
    return render(request,'login_otp.html' , context)

This method is to just send OTP I believe. @sarangkkl, not to login with PIN — Faisal Nazik, Feb 01 '22 at 07:23

score 1 · Accepted Answer · answered Jan 27 '22 at 19:17

You can make your own CustomLoginBackend as

from django.contrib.auth import get_user_model

class CustomLoginBackend(object):

    def authenticate(self, request, email, password, otp):
        User = get_user_model()
        try:
            user = User.objects.using(db_name).get(email=email)
        except User.DoesNotExist:
            return None
        else:
            if password is not None:
                if getattr(user, 'is_active', False) and  user.check_password(password):
                    return user
            else:
                if getattr(user, 'is_active', False) and  user.otp == otp: #<-- otp included in user table
                   return user
        return None

Then in your login views.

from django.contrib.auth import authenticate, login
from django.contrib import messages

def login_view(request):
    if request.method == 'POST':
        email = request.POST.get('email', None)
        password = request.POST.get('password', None)
        otp = request.POST.get('otp', None)

        user = authenticate(request, email=email, password=password, otp=otp)
        
        if user is not None:
            login(request, user)
            # redirect to a success page
            return redirect('dashboard')
        else:
            if password is not None:
                # return either email or password incorrect
                messages.error(request, "Invalid Email or Password")
                return redirect('login')
            else:
                # return invalid otp
                messages.error(request, "Invalid OTP")
                return redirect('login')

        return render(request, 'login.html')

And at last don't forgot to add AUTHENTICATION_BACKENDS in your settings.py as

AUTHENTICATION_BACKENDS = ['path_to_your.CustomLoginBackend ',]

Any Possibility to put condition on Password Required in Django Custom Auth?

2 Answers2

Linked