I have a website written in Django, and I recently upgraded from Django 1.11.28 to 2.2.12. Since the upgrade, all user authentication fails. There are no error messages displayed in the log; it is as if everyone's passwords have changed.
The users who were logged in before the upgrade remain logged in. However, once they log out, they cannot log back in.
The strange thing is that I can use manage.py to reset my superuser's password, but logging in with the new password still fails.
I did note that the Django 2.0 release docs mentions that in djano.contrib.auth: "The default iteration count for the PBKDF2 password hasher is increased from 36,000 to 100,000." I thought I might have to change its setting or ask people to reset their passwords, but after using manage.py to reset the admin password didn't work, I no longer believe that to be the issue.
Is there a new setting that I'm missing?
You can reproduce the issue here: https://github.com/shadytradesman/the-contract-site/tree/32ea6578800f648679f1af55a962858b931bf81a
The site should be easy to run locally. : )
EDIT: after doing some more testing, I've found the issue was introduced between Django versions 2.0.13 and 2.1.0
I found the problem! The break occurred between 2.0.13 and 2.1.0. It was caused by an app I was using, django-user-accounts. Upgrading this library from 2.0.1 to 3.0.2 fixed the issue : )