[fix] Prevent authentication without a username in UsersAuthenticationBackend

Some authentication backends (such as token-based or external identity
providers) may invoke this backend without supplying a username. In such
cases, the backend would previously continue and attempt to query the
database with `None` as the username. This can lead to inefficient or
broad queries that negatively impact performance, especially in large
user tables.

Author: pandafy

openwisp_users/backends.py

@@ -11,6 +11,11 @@
 
 class UsersAuthenticationBackend(ModelBackend):
     def authenticate(self, request, username=None, password=None, **kwargs):
+        # Only proceed if a username is provided. Other auth backends may attempt
+        # authentication without a username; returning early here avoids querying
+        # the database with a `None` username, which can be inefficient.
+        if not username:
+            return
         for user in self.get_users(username):
             if user.check_password(password) and self.user_can_authenticate(user):
                 return user

openwisp_users/tests/test_backends.py

@@ -153,3 +153,13 @@ def test_partial_phone_number(self):
                 password="tester2",
             )
             self.assertEqual(auth_backend.get_users("911524370").count(), 0)
+
+    @mock.patch("openwisp_users.backends.UsersAuthenticationBackend.get_users")
+    def test_user_auth_without_email(self, mocked_get_users):
+        self._create_user(
+            username="tester",
+            password="tester",
+            email=None,
+        )
+        self.client.login(username=None, password=None)
+        mocked_get_users.assert_not_called()