Description
Important Details
How are you running Sentry?
- On-Premise docker [Version 9.0]
- Saas (sentry.io)
- Other [briefly describe your environment]
Description
I have a custom authentication backend which use my corporate authentication provider. The backend will create a new user on first login. The company policy doesn't allow to store user passwords in application databases, so the password will be empty in Sentry DB. In future if the user would like to log in, the password will be validated with corporate authentication again. This functionality works fine by registering custom authentication backend functionality in Django via sentry.conf.py file.
The problem is when the user wants to perform an admin action. Sentry wants the user to confirm password. To do that, it uses check_password() method from the User model. The problem is that check_password() is testing the password against the one stored in a database. If user has logged in via custom backend which doesn't store the password, it is impossible to confirm the password.
Steps to Reproduce
- Log in with custom backend which doesn't store password in database
- Try to perform any administrative action e.g. removing a project
- Your password will be rejected every time.
What you expected to happen
Sentry should use the custom backend to validate the user password.
Possible Solution
This can be fixed by overriding or monkey-patching the check_password() method in the User model, but it doesn't seem to be the clean solution. Especially when you're using multiple custom backends (we do that in our company).
I think, the check_password() usage shall be replaced with authenticate() function which is defined by backend. This would be the easiest and cleanest solution.
Metadata
Metadata
Assignees
Type
Projects
Status