[Django] #36699: Clarify behavior and documentation for login (404) and logout (405) routes

[Django]

#36699: Clarify behavior and documentation for login (404) and logout (405) routes
-------------------------------------+-------------------------------------
Reporter: yydsjkl | Type: Bug
Status: new | Component:
| Uncategorized
Version: 5.2 | Severity: Normal
Keywords: login, logout, | Triage Stage:
authentication, confusion | Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
During university software testing using Django, we encountered two issues
that might confuse new users:

1. Accessing `/login/` returns a 404 because Django doesn’t create a
default login route.
2. Accessing `/logout/` returns a 405 (Method Not Allowed) because
`LogoutView` only allows POST.

While these are not actual bugs, they can be confusing for beginners. The
documentation could be improved to explain:
- Why these responses occur.
- How to properly configure `LoginView` and `LogoutView` manually.

Suggested improvement:
Add a clarification in the Django authentication documentation
(https://docs.djangoproject.com/en/stable/topics/auth/default/)
showing that:
- `/login/` is not created automatically.
- `/logout/` requires POST by design for CSRF protection.
- Example code:
```python
from django.contrib.auth import views as auth_views
urlpatterns = [
path('login/',
auth_views.LoginView.as_view(template_name='login.html')),
path('logout/', auth_views.LogoutView.as_view(next_page='/')),
]
--
Ticket URL: <https://code.djangoproject.com/ticket/36699>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

[Django]

#36699: Clarify behavior and documentation for login (404) and logout (405) routes
-------------------------------------+-------------------------------------

Reporter: yydsjkl | Owner: (none)

Type: Bug | Status: new
Component: Uncategorized | Version: 5.2

Severity: Normal | Resolution:

Keywords: login, logout, | Triage Stage:
authentication, confusion | Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------

Comment (by yydsjkl):

### Proposed Fix
Below is a proposed fix for the login page (404) issue discussed in this
ticket.
This fix demonstrates how a Django project can manually define a login
route, view, and template.
It also helps clarify to new users why the default `/login/` route does
not exist.

```python
# mysite/urls.py
from django.urls import path
from . import views

urlpatterns = [
path('admin/', admin.site.urls),
path('login/', views.login_view, name='login'), # Added login route
]
# myapp/views.py
from django.shortcuts import render

def login_view(request):
return render(request, 'login.html')
<!-- templates/login.html -->
<h1>Login Page</h1>
<form method="post">
{% csrf_token %}
<input type="text" name="username" placeholder="Username">
<input type="password" name="password" placeholder="Password">
<button type="submit">Login</button>
</form>
--
Ticket URL: <https://code.djangoproject.com/ticket/36699#comment:1>

[Django]

#36699: Clarify behavior and documentation for login (404) and logout (405) routes
-------------------------------------+-------------------------------------
Reporter: yydsjkl | Owner: (none)
Type: Bug | Status: new
Component: Uncategorized | Version: 5.2
Severity: Normal | Resolution:
Keywords: login, logout, | Triage Stage:
authentication, confusion | Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------

Description changed by Natalia Bidart:

Old description:

> During university software testing using Django, we encountered two
> issues that might confuse new users:
>
> 1. Accessing `/login/` returns a 404 because Django doesn’t create a
> default login route.
> 2. Accessing `/logout/` returns a 405 (Method Not Allowed) because
> `LogoutView` only allows POST.
>
> While these are not actual bugs, they can be confusing for beginners. The
> documentation could be improved to explain:
> - Why these responses occur.
> - How to properly configure `LoginView` and `LogoutView` manually.
>
> Suggested improvement:
> Add a clarification in the Django authentication documentation
> (https://docs.djangoproject.com/en/stable/topics/auth/default/)
> showing that:
> - `/login/` is not created automatically.
> - `/logout/` requires POST by design for CSRF protection.
> - Example code:
> ```python
> from django.contrib.auth import views as auth_views
> urlpatterns = [
> path('login/',
> auth_views.LoginView.as_view(template_name='login.html')),
> path('logout/', auth_views.LogoutView.as_view(next_page='/')),
> ]

New description:

During university software testing using Django, we encountered two issues
that might confuse new users:

1. Accessing `/login/` returns a 404 because Django doesn’t create a
default login route.
2. Accessing `/logout/` returns a 405 (Method Not Allowed) because
`LogoutView` only allows POST.

While these are not actual bugs, they can be confusing for beginners. The
documentation could be improved to explain:
- Why these responses occur.
- How to properly configure `LoginView` and `LogoutView` manually.

Suggested improvement:
Add a clarification in the Django authentication documentation
(https://docs.djangoproject.com/en/stable/topics/auth/default/)
showing that:
- `/login/` is not created automatically.
- `/logout/` requires POST by design for CSRF protection.
- Example code:

{{{#!python

from django.contrib.auth import views as auth_views
urlpatterns = [
path('login/',
auth_views.LoginView.as_view(template_name='login.html')),
path('logout/', auth_views.LogoutView.as_view(next_page='/')),
]
}}}

--

--
Ticket URL: <https://code.djangoproject.com/ticket/36699#comment:2>

[Django]

#36699: Clarify behavior and documentation for login (404) and logout (405) routes
-------------------------------------+-------------------------------------
Reporter: yydsjkl | Owner: (none)

Type: Bug | Status: closed
Component: contrib.auth | Version: 5.2
Severity: Normal | Resolution: duplicate

Keywords: login, logout, | Triage Stage:
authentication, confusion | Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------

Changes (by Natalia Bidart):

* component: Uncategorized => contrib.auth
* resolution: => duplicate
* status: new => closed

Comment:

Hello yydsjkl, thank you for your interest in making Django better. This
topic has been discussed in the forum, currently with pending community
agreement: you can read more and participate in
https://forum.djangoproject.com/t/update-startproject-with-default-login-
signup-logout-options/35175. There is also this somewhat relevant DEP
proposal: https://github.com/django/deps/pull/98.

It's also important to note that some of the bits that you propose are
already available in the docs, like describing how to define a login view.
The following is shown in the docs you linked:

{{{#!python
from django.contrib.auth import views as auth_views

path("accounts/login/", auth_views.LoginView.as_view()),
}}}

And also:

> It's your responsibility to provide the html for the login template ,
called registration/login.html by default.

This ticket could also be considered a duplicate of #13061. I'll be
closing this ticket as `duplicate` but please continue the conversation in
the forum if you are interested in this subject.
--
Ticket URL: <https://code.djangoproject.com/ticket/36699#comment:3>