update_last_login on TokenObtainPair #238
Conversation
|
Database access and updating is only one-half the problem. People abusing the views is the other half of the problem. Please stop trying to add last_login. ref #234 You’ll inadvertantly slow your server down by exposing a security vulnerability. You can make a PR for signals instead, but it seems like another PR has already done it. Not sure when or if it’ll get merged. |
|
If you really want this, make a new viewset and throttle it with DRF at the very least. If we throttle the viewset ourselves, we make the package less flexible. |
|
@mjlabe I just talked with David. We'd like to make this repo a little more flexible in terms of features. If you don't mind, can you add a setting to the SIMPLE_JWT settings for last_login? Have the default still be on False. Thanks! And then you'll need to add a test case to make sure the last_login actually happens. |
|
Will do. I'll also add your warnings of potential vulnerabilities to the docs. |
|
PR has been updated with requested changes. Please let me know if you feel anything should be changed! |
There was a problem hiding this comment.
@mjlabe Just saw the new commit. Taking a look at it now; to me it's great! Gonna review it one last time in an hour, but I'll be merging it soon. Thanks for the PR!
|
Thanks again @mjlabe! |
Fix for last login update #132
Alternative solution to Fix user last_login field update #136 that only updates when the user gets a new refresh token (i.e. login). This should result in less database hits.