Provide django.contrib.auth.authenticate() with a request for compatibiity with more backends. (#949)

ShaheedHaque · n2ygk · web-flow · commit 9d2aac2480b2 · 2021-03-22T11:06:30.000-04:00
* Provide django.contrib.auth.authenticate() with a request for compatibiity with more backends. Resolves #712. Resolves #636. Resolves #808. Co-authored-by: Alan Crosswell <alan@crosswell.us>
diff --git a/AUTHORS b/AUTHORS
@@ -50,3 +50,4 @@ Rustem Saiargaliev
 Jadiel Teófilo
 pySilver
 Łukasz Skarżyński
+Shaheed Haque
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -14,13 +14,20 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ### Security
   -->
 
-## [1.5.0] 2021-03-18
+## [unreleased]
 
 ### Added
-* #915 Add optional OpenID Connect support.
+* #712, #636, #808. Calls to `django.contrib.auth.authenticate()` now pass a `request`
+  to provide compatibility with backends that need one.
+  
 ### Fixed
 * #524 Restrict usage of timezone aware expire dates to Django projects with USE_TZ set to True.
 
+## [1.5.0] 2021-03-18
+
+### Added
+* #915 Add optional OpenID Connect support.
+
 ### Changed
 * #942 Help via defunct Google group replaced with using GitHub issues
 
diff --git a/oauth2_provider/oauth2_validators.py b/oauth2_provider/oauth2_validators.py
@@ -14,6 +14,7 @@
 from django.core.exceptions import ObjectDoesNotExist
 from django.db import transaction
 from django.db.models import Q
+from django.http import HttpRequest
 from django.utils import dateformat, timezone
 from django.utils.timezone import make_aware
 from django.utils.translation import gettext_lazy as _
@@ -664,7 +665,15 @@ def validate_user(self, username, password, client, request, *args, **kwargs):
         """
         Check username and password correspond to a valid and active User
         """
-        u = authenticate(username=username, password=password)
+        # Passing the optional HttpRequest adds compatibility for backends
+        # which depend on its presence. Create one with attributes likely
+        # to be used.
+        http_request = HttpRequest()
+        http_request.path = request.uri
+        http_request.method = request.http_method
+        getattr(http_request, request.http_method).update(dict(request.decoded_body))
+        http_request.META = request.headers
+        u = authenticate(http_request, username=username, password=password)
         if u is not None and u.is_active:
             request.user = u
             return True
