[Django] #36200: Mention that RemoteUserMiddleware should be replaced when using custom header middleware with RemoteUserBackend

[Django]

#36200: Mention that RemoteUserMiddleware should be replaced when using custom
header middleware with RemoteUserBackend
-------------------------------------+-------------------------------------
Reporter: Joonas | Owner: Joonas Häkkinen
Häkkinen |
Type: | Status: assigned
Uncategorized |
Component: | Version: 5.1
Documentation | Keywords: REMOTE_USER,
Severity: Normal | authentication, middleware
Triage Stage: | Has patch: 0
Unreviewed |
Needs documentation: 0 | Needs tests: 0
Patch needs improvement: 0 | Easy pickings: 0
UI/UX: 0 |
-------------------------------------+-------------------------------------
REMOTE_USER authentication docs at
[https://docs.djangoproject.com/en/5.1/howto//auth-remote-user/] cover
using a custom middleware to read the username from HTTP headers. However,
it does not specify that the custom middleware should replace
`RemoteUserMiddleware` rather than be appended to `MIDDLEWARE`.

This is essentially a small omission and might be clear to experienced
Django users. However, at least for me, an experienced web developer but
totally new to Django, this was surprising and the resulting CSRF
validation failure made me suspect something completely different for two
full days. Thus I though that a small mention about ''replacing'' instead
of appending `RemoteUserMiddleware` with the custom one would be a
reasonable addition to the docs.

I will be opening a PR for this shortly unless you think this is not worth
including in the docs.
--
Ticket URL: <https://code.djangoproject.com/ticket/36200>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

[Django]

#36200: Mention that RemoteUserMiddleware should be replaced when using custom
header middleware with RemoteUserBackend
-------------------------------------+-------------------------------------

Reporter: joonashak | Owner: joonashak
Type: Uncategorized | Status: assigned
Component: Documentation | Version: 5.1
Severity: Normal | Resolution:
Keywords: REMOTE_USER, | Triage Stage:
authentication, middleware | Unreviewed
Has patch: 0 | Needs documentation: 0

Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------

Comment (by joonashak):

Forgot to link the relevant discussion: https://forum.djangoproject.com/t
/csrf-fails-when-remoteusermiddleware-is-used-behind-reverse-proxy-
without-tls/38929/1
--
Ticket URL: <https://code.djangoproject.com/ticket/36200#comment:1>

[Django]

#36200: Mention that RemoteUserMiddleware should be replaced when using custom
header middleware with RemoteUserBackend
-------------------------------------+-------------------------------------

Reporter: Joonas Häkkinen | Owner: Joonas
Type: | Häkkinen
Cleanup/optimization | Status: assigned

Component: Documentation | Version: 5.1
Severity: Normal | Resolution:

Keywords: REMOTE_USER, | Triage Stage: Accepted
authentication, middleware |

Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------

Changes (by Sarah Boyce):

* stage: Unreviewed => Accepted
* type: Uncategorized => Cleanup/optimization

Comment:

Thank you for the ticket Joonas.
I am happy to review a PR with a small addition here, given this is a how-
to doc and there aren't many examples of middleware being overridden in
the docs
--
Ticket URL: <https://code.djangoproject.com/ticket/36200#comment:2>

[Django]

#36200: Mention that RemoteUserMiddleware should be replaced when using custom
header middleware with RemoteUserBackend
-------------------------------------+-------------------------------------
Reporter: Joonas Häkkinen | Owner: Joonas
Type: | Häkkinen
Cleanup/optimization | Status: assigned
Component: Documentation | Version: 5.1
Severity: Normal | Resolution:
Keywords: REMOTE_USER, | Triage Stage: Accepted
authentication, middleware |

Has patch: 1 | Needs documentation: 0

Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------

Changes (by Joonas Häkkinen):

* has_patch: 0 => 1

Comment:

[https://github.com/django/django/pull/19194 PR]
--
Ticket URL: <https://code.djangoproject.com/ticket/36200#comment:3>

[Django]

#36200: Mention that RemoteUserMiddleware should be replaced when using custom
header middleware with RemoteUserBackend
-------------------------------------+-------------------------------------
Reporter: Joonas Häkkinen | Owner: Joonas
Type: | Häkkinen
Cleanup/optimization | Status: assigned
Component: Documentation | Version: 5.1
Severity: Normal | Resolution:
Keywords: REMOTE_USER, | Triage Stage: Accepted
authentication, middleware |
Has patch: 1 | Needs documentation: 0

Needs tests: 0 | Patch needs improvement: 1

Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------

Changes (by Sarah Boyce):

* needs_better_patch: 0 => 1

--
Ticket URL: <https://code.djangoproject.com/ticket/36200#comment:4>

[Django]

#36200: Mention that RemoteUserMiddleware should be replaced when using custom
header middleware with RemoteUserBackend
-------------------------------------+-------------------------------------
Reporter: Joonas Häkkinen | Owner: Joonas
Type: | Häkkinen
Cleanup/optimization | Status: assigned
Component: Documentation | Version: 5.1
Severity: Normal | Resolution:

Keywords: REMOTE_USER, | Triage Stage: Ready for
authentication, middleware | checkin

Has patch: 1 | Needs documentation: 0

Needs tests: 0 | Patch needs improvement: 0

Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Changes (by Sarah Boyce):

* needs_better_patch: 1 => 0
* stage: Accepted => Ready for checkin

--
Ticket URL: <https://code.djangoproject.com/ticket/36200#comment:5>

[Django]

#36200: Mention that RemoteUserMiddleware should be replaced when using custom
header middleware with RemoteUserBackend
-------------------------------------+-------------------------------------
Reporter: Joonas Häkkinen | Owner: Joonas
Type: | Häkkinen

Cleanup/optimization | Status: closed
Component: Documentation | Version: 5.1
Severity: Normal | Resolution: fixed

Keywords: REMOTE_USER, | Triage Stage: Ready for
authentication, middleware | checkin
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------

Changes (by Sarah Boyce <42296566+sarahboyce@…>):

* resolution: => fixed
* status: assigned => closed

Comment:

In [changeset:"87c5de3b7f2316aa17353d74f54e6ff19013d049" 87c5de3b]:
{{{#!CommitTicketReference repository=""
revision="87c5de3b7f2316aa17353d74f54e6ff19013d049"
Fixed #36200 -- Clarified MIDDLEWARE setting updates when using a custom
RemoteUserMiddleware.
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/36200#comment:6>

[Django]

#36200: Mention that RemoteUserMiddleware should be replaced when using custom
header middleware with RemoteUserBackend
-------------------------------------+-------------------------------------
Reporter: Joonas Häkkinen | Owner: Joonas
Type: | Häkkinen
Cleanup/optimization | Status: closed
Component: Documentation | Version: 5.1
Severity: Normal | Resolution: fixed
Keywords: REMOTE_USER, | Triage Stage: Ready for
authentication, middleware | checkin
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------

Comment (by Sarah Boyce <42296566+sarahboyce@…>):

In [changeset:"aadc5c569bdf73d9e358c4371f7da18a0410234c" aadc5c5]:
{{{#!CommitTicketReference repository=""
revision="aadc5c569bdf73d9e358c4371f7da18a0410234c"
[5.2.x] Fixed #36200 -- Clarified MIDDLEWARE setting updates when using a
custom RemoteUserMiddleware.

Backport of 87c5de3b7f2316aa17353d74f54e6ff19013d049 from main.
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/36200#comment:7>

[Django]

#36200: Mention that RemoteUserMiddleware should be replaced when using custom
header middleware with RemoteUserBackend
-------------------------------------+-------------------------------------
Reporter: Joonas Häkkinen | Owner: Joonas
Type: | Häkkinen
Cleanup/optimization | Status: closed
Component: Documentation | Version: 5.1
Severity: Normal | Resolution: fixed
Keywords: REMOTE_USER, | Triage Stage: Ready for
authentication, middleware | checkin
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Comment (by Sarah Boyce <42296566+sarahboyce@…>):

In [changeset:"914cde19c230314864c018fecb2ce09e38a34903" 914cde19]:
{{{#!CommitTicketReference repository=""
revision="914cde19c230314864c018fecb2ce09e38a34903"
[5.1.x] Fixed #36200 -- Clarified MIDDLEWARE setting updates when using a

custom RemoteUserMiddleware.

Backport of 87c5de3b7f2316aa17353d74f54e6ff19013d049 from main.
}}}
--

Ticket URL: <https://code.djangoproject.com/ticket/36200#comment:8>