sunscrapers · hisie · Apr 5, 2024 · Jun 7, 2024 · haxoza · Apr 17, 2024
diff --git a/djoser/backends.py b/djoser/backends.py
@@ -0,0 +1,21 @@
+from django.contrib.auth import get_user_model
+from django.contrib.auth.models import Permission
+from django.contrib.auth.backends import ModelBackend
+from django.db.models import Exists, OuterRef, Q
+from djoser.conf import settings
+
+User = get_user_model()
+
+
+class LoginFieldBackend(ModelBackend):
+
+    def authenticate(self, request, username=None, password=None, **kwargs):
+        if username is None:
+            username = kwargs.get(settings.LOGIN_FIELD)
+        if username is None or password is None:
+            return
+        user = User.objects.filter(**kwargs).first()
+        if user and not user.check_password(password):
+            return
+        if user and user.is_active:
+            return user
diff --git a/djoser/serializers.py b/djoser/serializers.py
@@ -122,10 +122,6 @@ def validate(self, attrs):
         self.user = authenticate(
             request=self.context.get("request"), **params, password=password
         )
-        if not self.user:
-            self.user = User.objects.filter(**params).first()
-            if self.user and not self.user.check_password(password):
-                self.fail("invalid_credentials")
         if self.user and self.user.is_active:
             return attrs
         self.fail("invalid_credentials")

diff --git a/docs/source/settings.rst b/docs/source/settings.rst
@@ -34,6 +34,8 @@ custom User model.
 
 **Default**: ``User.USERNAME_FIELD`` where ``User`` is the model set with Django's setting AUTH_USER_MODEL.
 
+To use this feature you should add "djoser.backends.LoginFieldBackend" to your AUTHENTICATION_BACKENDS at the last position.
+
 .. warning::
 
     Djoser uses `djangorestframework-simplejwt`_ to provide a convenient integration for JWT.

diff --git a/testproject/testapp/tests/test_token_create.py b/testproject/testapp/tests/test_token_create.py
@@ -83,6 +83,13 @@ def test_post_should_not_login_if_empty_request(self):
         )
 
     @override_settings(DJOSER=dict(django_settings.DJOSER, **{"LOGIN_FIELD": "email"}))
+    @override_settings(AUTHENTICATION_BACKENDS=[
+        "django.contrib.auth.backends.ModelBackend",
+        "djoser.social.backends.facebook.FacebookOAuth2Override",
+        "social_core.backends.google.GoogleOAuth2",
+        "social_core.backends.steam.SteamOpenId",
+        "djoser.backends.LoginFieldBackend",
+    ])
     def test_login_using_email(self):
         user = create_user()
         previous_last_login = user.last_login
@@ -96,3 +103,19 @@ def test_login_using_email(self):
         self.assertEqual(response.data["auth_token"], user.auth_token.key)
         self.assertNotEqual(user.last_login, previous_last_login)
         self.assertTrue(self.signal_sent)
+
+    @override_settings(DJOSER=dict(django_settings.DJOSER, **{"LOGIN_FIELD": "email"}))
+    def test_login_using_email_without_login_backend(self):
+        user = create_user()
+        previous_last_login = user.last_login
+        data = {"username": user.email, "password": user.raw_password}
+        user_logged_in.connect(self.signal_receiver)
+
+        response = self.client.post(self.base_url, data)
+        user.refresh_from_db()
+
+        self.assert_status_equal(response, status.HTTP_400_BAD_REQUEST)
+        self.assertEqual(
+            response.data["non_field_errors"],
+            [settings.CONSTANTS.messages.INVALID_CREDENTIALS_ERROR],
+        )