user_login_failed and user_logged_in signals sent at different levels

[Federico Bond]

While working on a project that calls the `authenticate` function from contrib.auth directly, I noticed that the user_login_failed signal is sent from it but not user_logged_in.

I looked into the code and indeed, the user_logged_in signal is only sent from the higher-level `login` function. I would expect to be able to connect to either both signals or none. Since backends may call authenticate directly without going through login, perhaps it would be best to move the user_login_failed to `login` and let custom backends implement both signals manually if they need them.

What do you think?

[Florian Apolloner]

On Thursday, January 12, 2017 at 11:16:01 PM UTC+1, Federico Bond wrote:

Since backends may call authenticate directly without going through login, perhaps it would be best to move the user_login_failed to `login` and let custom backends implement both signals manually if they need them.

`login` unconditionally logs a user in, there is no room for failure (aside from the ValueError raised, but that is more a missusage, not a login failure) -- where would you send `user_login_failed` from login?

[Federico Bond]

You are right. I was confusing the login view with the login method. The more concrete problem was that Django REST framework calls authenticate directly and user_login_failed is sent but never user_logged_in. I realize though that some of the authentication methods provided by an API don't have clear login semantics so it makes sense to only send failure events.

[Patryk Zawadzki]

Are you sure you need to depend on users "logging in" through an API? Most authentication methods used in APIs are stateless and there is no explicit login and logout process. You either include the credentials (be it bearer token, auth header, custom data or whatever) or not. The credentials are checked using authenticate but there is no "logging in" happening: you don't create a session, set cookies etc.

[Federico Bond]

The Django API is powering a single-page app, so while there are tokens instead of sessions, from the user point of view there is an explicit login process to grab a signed token. I wanted to hook to the corresponding signal to log these login events. It's probably better if I do it inside my login/authenticate endpoint code though.