I'm building an API back-end with DRF. The user sign-up process is as follows: #9262
Description
I'm building an API back-end with DRF. The user sign-up process is as follows:
- Front-end sends the user details to the
/api/auth/userendpoint with a POST request to create a user (defaultUsermodel used) resource. - An email is sent to the user with a JWT to verify the email ID of the user.
- Once the user clicks the link, the back-end verifies the token and sets the
is_activeattribute toTrue.
The back-end completely works on JWT authentication. BasicAuthentication is used only for the JWT creation process. Hence, while making a request to /api/auth/jwt/create, HTTP basic authentication must be performed by sending the base64 encoded string of <username>:<password> as Authorization header.
The front-end, after making a request to create a user, also makes another request with the same credentials to retrieve the JWT associated with the user. This is used for authentication for successive requests.
Now, the problem is that the rest_framework.authentication.BasicAuthentication class returns {"detail": "Invalid username/password."} as response while is_active is False (because the user hasn't verified his email ID with the link sent to the email account).
Looking at the class declaration, it seems to be implemented fine and the expected behavior is that the class should return {"detail": "User is not active."} when the account is inactive.
I couldn't figure out how to fix this issue and hence this discussion.
Originally posted by @sakthisanthosh010303 in #9249
I faced same issue and fixed it by using custom authentication but I think it`s a bug
also I am using custom user model and using email instead of username I thing it is better use USERNAME_FIELD in exceptions.AuthenticationFailed Message Response instead of considering that user use username and password for authentication