o &zh`@srddlmZddlmZddlmZddlmZddlm Z ddl m Z ddl m Z mZeaGd d d eZd S) )local)get_user_model) ModelBackend) get_adapter) LoginMethod) app_settings)filter_users_by_emailfilter_users_by_usernamec@szeZdZddZddZdedefddZd edefd d Zd edefd dZddZ ddZ e ddZ e ddZ dS)AuthenticationBackendcKs>|d}|s dSd|_|j|fi|}|js|||S)NpasswordF)get_did_check_password _authenticate_mitigate_timing_attack)selfrequest credentialsr userrX/var/www/html/kangema/venv/lib/python3.10/site-packages/allauth/account/auth_backends.py authenticates  z"AuthenticationBackend.authenticatecKs|d}|d}|r&tjtjvr|||}|r|S|||}|r&|S|d}|r7|||}|r7|S|d}|rH|||}|rH|SdS)Nr usernameemailphone)r rEMAILr LOGIN_METHODS_authenticate_by_email_authenticate_by_username_authenticate_by_phone)rrrr rrrrrrrrs*         z#AuthenticationBackend._authenticaterr cCs0|rtjtjvr dSt}||}|||SN)rPHONErrrget_user_by_phone_check_password)rrr adapterrrrrr9s   z,AuthenticationBackend._authenticate_by_phonercCs2tjtjvs tjr |s dSt|}|||Sr )rUSERNAMErrUSER_MODEL_USERNAME_FIELDr firstr#)rrr rrrrr@s   z/AuthenticationBackend._authenticate_by_usernamercCsB|rtjtjvr dSt|dd}|D] }|||r|SqdS)NT)prefer_verified)rrrrr r#)rrr usersrrrrrJs  z,AuthenticationBackend._authenticate_by_emailcCst|dSr )r set_password)rr rrrrWsz-AuthenticationBackend._mitigate_timing_attackcCs@|sdSd|_||}|r||}|s|||r|SdS)NT)rcheck_passworduser_can_authenticate _stash_user)rrr okrrrr#Zs    z%AuthenticationBackend._check_passwordcCsttdd}|t_|S)aNow, be aware, the following is quite ugly, let me explain: Even if the user credentials match, the authentication can fail because Django's default ModelBackend calls user_can_authenticate(), which checks `is_active`. Now, earlier versions of allauth did not do this and simply returned the user as authenticated, even in case of `is_active=False`. For allauth scope, this does not pose a problem, as these users are properly redirected to an account inactive page. This does pose a problem when the allauth backend is used in a different context where allauth is not responsible for the login. Then, by not checking on `user_can_authenticate()` users will allow to become authenticated whereas according to Django logic this should not be allowed. In order to preserve the allauth behavior while respecting Django's logic, we stash a user for which the password check succeeded but `user_can_authenticate()` failed. In the allauth authentication logic, we can then unstash this user and proceed pointing the user to the account inactive page. rN)getattr_stashr)clsrretrrrr-es z!AuthenticationBackend._stash_usercCs |dSr )r-)r1rrrunstash_authenticated_users z0AuthenticationBackend.unstash_authenticated_userN)__name__ __module__ __qualname__rrstrrrrrr# classmethodr-r3rrrrr s      r N) threadingrdjango.contrib.authrdjango.contrib.auth.backendsrallauth.account.adapterrallauth.account.app_settingsrrutilsr r r0r rrrrs