goauthentik · BeryJu · Jan 13, 2025 · Jan 7, 2025 · Jan 13, 2025
@@ -585,7 +585,7 @@
         """Set password for user"""
         user: User = self.get_object()
         try:
-            user.set_password(request.data.get("password"))
+            user.set_password(request.data.get("password"), request=request)
             user.save()
         except (ValidationError, IntegrityError) as exc:
             LOGGER.debug("Failed to set password", exc=exc)

@@ -44,13 +44,12 @@
         self, request: HttpRequest, username: str | None, password: str | None, **kwargs: Any
     ) -> User | None:
         try:
-
             user = User._default_manager.get_by_natural_key(username)
 
         except User.DoesNotExist:
             # Run the default password hasher once to reduce the timing
             # difference between an existing and a nonexistent user (#20760).
-            User().set_password(password)
+            User().set_password(password, request=request)
             return None
 
         tokens = Token.filter_not_expired(

@@ -356,13 +356,13 @@ def is_staff(self) -> bool:
         """superuser == staff user"""
         return self.is_superuser  # type: ignore
 
-    def set_password(self, raw_password, signal=True, sender=None):
+    def set_password(self, raw_password, signal=True, sender=None, request=None):
         if self.pk and signal:
             from authentik.core.signals import password_changed
 
             if not sender:
                 sender = self
-            password_changed.send(sender=sender, user=self, password=raw_password)
+            password_changed.send(sender=sender, user=self, password=raw_password, request=request)
         self.password_change_date = now()
         return super().set_password(raw_password)
 

@@ -106,9 +106,9 @@ def on_invitation_used(sender, request: HttpRequest, invitation: Invitation, **_
 
 
 @receiver(password_changed)
-def on_password_changed(sender, user: User, password: str, **_):
+def on_password_changed(sender, user: User, password: str, request: HttpRequest | None, **_):
     """Log password change"""
-    Event.new(EventAction.PASSWORD_SET).from_http(None, user=user)
+    Event.new(EventAction.PASSWORD_SET).from_http(request, user=user)
 
 
 @receiver(post_save, sender=Event)

@@ -28,14 +28,14 @@ def authenticate(self, request: HttpRequest, **kwargs):
         if "@" in username:
             username, realm = username.rsplit("@", 1)
 
-        user, source = self.auth_user(username, realm, **kwargs)
+        user, source = self.auth_user(request, username, realm, **kwargs)
         if user:
             self.set_method("kerberos", request, source=source)
             return user
         return None
 
     def auth_user(
-        self, username: str, realm: str | None, password: str, **filters
+        self, request: HttpRequest, username: str, realm: str | None, password: str, **filters
     ) -> tuple[User | None, KerberosSource | None]:
         sources = KerberosSource.objects.filter(enabled=True)
         user = User.objects.filter(
@@ -76,7 +76,7 @@ def auth_user(
                         user=user_source_connection.user,
                     )
                     user_source_connection.user.set_password(
-                        password, sender=user_source_connection.source
+                        password, sender=user_source_connection.source, request=request
                     )
                     user_source_connection.user.save()
                 return user_source_connection.user, user_source_connection.source

@@ -20,13 +20,15 @@
             return None
         for source in LDAPSource.objects.filter(enabled=True):
             LOGGER.debug("LDAP Auth attempt", source=source)
-            user = self.auth_user(source, **kwargs)
+            user = self.auth_user(request, source, **kwargs)
             if user:
                 self.set_method("ldap", request, source=source)
                 return user
         return None
 
-    def auth_user(self, source: LDAPSource, password: str, **filters: str) -> User | None:
+    def auth_user(
+        self, request: HttpRequest, source: LDAPSource, password: str, **filters: str
+    ) -> User | None:
         """Try to bind as either user_dn or mail with password.
         Returns True on success, otherwise False"""
         users = User.objects.filter(**filters)
@@ -43,7 +45,7 @@
             if source.password_login_update_internal_password:
                 # Password given successfully binds to LDAP, so we save it in our Database
                 LOGGER.debug("Updating user's password in DB", user=user)
-                user.set_password(password, sender=source)
+                user.set_password(password, sender=source, request=request)
                 user.save()
             return user
         # Password doesn't match

@@ -104,7 +104,9 @@ def update_user(self, user: User):
         for key, value in data.items():
             setter_name = f"set_{key}"
             # Check if user has a setter for this key, like set_password
-            if hasattr(user, setter_name):
+            if key == "password":
+                user.set_password(value, request=self.request)
+            elif hasattr(user, setter_name):
                 setter = getattr(user, setter_name)
                 if callable(setter):
                     setter(value)

@@ -150,7 +150,7 @@ def test_sync_password(self):
         # Ensure user has an unusable password directly after sync
         self.assertFalse(user.has_usable_password())
         # Auth (which will fallback to bind)
-        LDAPBackend().auth_user(source, password, username=username)
+        LDAPBackend().auth_user(None, source, password, username=username)
         user.refresh_from_db()
         # User should now have a usable password in the database
         self.assertTrue(user.has_usable_password())