Manually logging in a user without password

Agos picture Agos · May 7, 2010 · Viewed 33k times · Source

I hope you can help me figure the best way to implement a manual (server-side initiated) login without using the password. Let me explain the workflow:

  • User registers
  • Thank you! An email with an activation link has been sent blablabla
  • (Account now exists but is marked not enabled)
  • User opens email, clicks link
  • (Account is enabled)
  • Thank you! You can now use the site

What I'm trying to do is log in the user after he has clicked the email link so he can start using the website right away.

I can't use his password since it's encrypted in the DB, is the only option writing a custom authentication backend?

Answer

Daniel Roseman picture Daniel Roseman · May 7, 2010

You don't need a password to log a user in. The auth.login function just takes a User object, which you are presumably already getting from the database when you enable the account. So you can pass that straight to login.

Of course, you'll need to be very careful that there's no way a user can spoof a link to an existing already-enabled account, which would then automatically log them in as that user.

from django.contrib.auth import login

def activate_account(request, hash):
    account = get_account_from_hash(hash)
    if not account.is_active:
        account.activate()
        account.save()
        user = account.user
        login(request, user)

... etc.

Edited:

Hmm, didn't notice that requirement to use authenticate because of the extra property it adds. Looking at the code, all it does is a backend attribute equivalent to the module path of the authenticating backend. So you could just fake it - before the login call above, do this:

user.backend = 'django.contrib.auth.backends.ModelBackend'