input
diff --git a/‎django/contrib/auth/__init__.py
Lines changed: 141 additions & 31 deletions b/‎django/contrib/auth/__init__.py
Lines changed: 141 additions & 31 deletions
@@ -1,8 +1,6 @@
 import inspect
 import re
 
-from asgiref.sync import sync_to_async
-
 from django.apps import apps as django_apps
 from django.conf import settings
 from django.core.exceptions import ImproperlyConfigured, PermissionDenied
@@ -40,6 +38,39 @@ def get_backends():
     return _get_backends(return_tuples=False)
 
 
+def _get_compatible_backends(request, **credentials):
+    for backend, backend_path in _get_backends(return_tuples=True):
+        backend_signature = inspect.signature(backend.authenticate)
+        try:
+            backend_signature.bind(request, **credentials)
+        except TypeError:
+            # This backend doesn't accept these credentials as arguments. Try
+            # the next one.
+            continue
+        yield backend, backend_path
+
+
+def _get_backend_from_user(user, backend=None):
+    try:
+        backend = backend or user.backend
+    except AttributeError:
+        backends = _get_backends(return_tuples=True)
+        if len(backends) == 1:
+            _, backend = backends[0]
+        else:
+            raise ValueError(
+                "You have multiple authentication backends configured and "
+                "therefore must provide the `backend` argument or set the "
+                "`backend` attribute on the user."
+            )
+    else:
+        if not isinstance(backend, str):
+            raise TypeError(
+                "backend must be a dotted import path string (got %r)." % backend
+            )
+    return backend
+
+
 @sensitive_variables("credentials")
 def _clean_credentials(credentials):
     """
@@ -62,19 +93,21 @@ def _get_user_session_key(request):
     return get_user_model()._meta.pk.to_python(request.session[SESSION_KEY])
 
 
+async def _aget_user_session_key(request):
+    # This value in the session is always serialized to a string, so we need
+    # to convert it back to Python whenever we access it.
+    session_key = await request.session.aget(SESSION_KEY)
+    if session_key is None:
+        raise KeyError()
+    return get_user_model()._meta.pk.to_python(session_key)
+
+
 @sensitive_variables("credentials")
 def authenticate(request=None, **credentials):
     """
     If the given credentials are valid, return a User object.
     """
-    for backend, backend_path in _get_backends(return_tuples=True):
-        backend_signature = inspect.signature(backend.authenticate)
-        try:
-            backend_signature.bind(request, **credentials)
-        except TypeError:
-            # This backend doesn't accept these credentials as arguments. Try
-            # the next one.
-            continue
+    for backend, backend_path in _get_compatible_backends(request, **credentials):
         try:
             user = backend.authenticate(request, **credentials)
         except PermissionDenied:
@@ -96,7 +129,23 @@ def authenticate(request=None, **credentials):
 @sensitive_variables("credentials")
 async def aauthenticate(request=None, **credentials):
     """See authenticate()."""
-    return await sync_to_async(authenticate)(request, **credentials)
+    for backend, backend_path in _get_compatible_backends(request, **credentials):
+        try:
+            user = await backend.aauthenticate(request, **credentials)
+        except PermissionDenied:
+            # This backend says to stop in our tracks - this user should not be
+            # allowed in at all.
+            break
+        if user is None:
+            continue
+        # Annotate the user object with the path of the backend.
+        user.backend = backend_path
+        return user
+
+    # The credentials supplied are invalid to all backends, fire signal.
+    await user_login_failed.asend(
+        sender=__name__, credentials=_clean_credentials(credentials), request=request
+    )
 
 
 def login(request, user, backend=None):
@@ -125,23 +174,7 @@ def login(request, user, backend=None):
     else:
         request.session.cycle_key()
 
-    try:
-        backend = backend or user.backend
-    except AttributeError:
-        backends = _get_backends(return_tuples=True)
-        if len(backends) == 1:
-            _, backend = backends[0]
-        else:
-            raise ValueError(
-                "You have multiple authentication backends configured and "
-                "therefore must provide the `backend` argument or set the "
-                "`backend` attribute on the user."
-            )
-    else:
-        if not isinstance(backend, str):
-            raise TypeError(
-                "backend must be a dotted import path string (got %r)." % backend
-            )
+    backend = _get_backend_from_user(user=user, backend=backend)
 
     request.session[SESSION_KEY] = user._meta.pk.value_to_string(user)
     request.session[BACKEND_SESSION_KEY] = backend
@@ -154,7 +187,36 @@ def login(request, user, backend=None):
 
 async def alogin(request, user, backend=None):
     """See login()."""
-    return await sync_to_async(login)(request, user, backend)
+    session_auth_hash = ""
+    if user is None:
+        user = await request.auser()
+    if hasattr(user, "get_session_auth_hash"):
+        session_auth_hash = user.get_session_auth_hash()
+
+    if await request.session.ahas_key(SESSION_KEY):
+        if await _aget_user_session_key(request) != user.pk or (
+            session_auth_hash
+            and not constant_time_compare(
+                await request.session.aget(HASH_SESSION_KEY, ""),
+                session_auth_hash,
+            )
+        ):
+            # To avoid reusing another user's session, create a new, empty
+            # session if the existing session corresponds to a different
+            # authenticated user.
+            await request.session.aflush()
+    else:
+        await request.session.acycle_key()
+
+    backend = _get_backend_from_user(user=user, backend=backend)
+
+    await request.session.aset(SESSION_KEY, user._meta.pk.value_to_string(user))
+    await request.session.aset(BACKEND_SESSION_KEY, backend)
+    await request.session.aset(HASH_SESSION_KEY, session_auth_hash)
+    if hasattr(request, "user"):
+        request.user = user
+    rotate_token(request)
+    await user_logged_in.asend(sender=user.__class__, request=request, user=user)
 
 
 def logout(request):
@@ -177,7 +239,19 @@ def logout(request):
 
 async def alogout(request):
     """See logout()."""
-    return await sync_to_async(logout)(request)
+    # Dispatch the signal before the user is logged out so the receivers have a
+    # chance to find out *who* logged out.
+    user = getattr(request, "auser", None)
+    if user is not None:
+        user = await user()
+    if not getattr(user, "is_authenticated", True):
+        user = None
+    await user_logged_out.asend(sender=user.__class__, request=request, user=user)
+    await request.session.aflush()
+    if hasattr(request, "user"):
+        from django.contrib.auth.models import AnonymousUser
+
+        request.user = AnonymousUser()
 
 
 def get_user_model():
@@ -243,7 +317,43 @@ def get_user(request):
 
 async def aget_user(request):
     """See get_user()."""
-    return await sync_to_async(get_user)(request)
+    from .models import AnonymousUser
+
+    user = None
+    try:
+        user_id = await _aget_user_session_key(request)
+        backend_path = await request.session.aget(BACKEND_SESSION_KEY)
+    except KeyError:
+        pass
+    else:
+        if backend_path in settings.AUTHENTICATION_BACKENDS:
+            backend = load_backend(backend_path)
+            user = await backend.aget_user(user_id)
+            # Verify the session
+            if hasattr(user, "get_session_auth_hash"):
+                session_hash = await request.session.aget(HASH_SESSION_KEY)
+                if not session_hash:
+                    session_hash_verified = False
+                else:
+                    session_auth_hash = user.get_session_auth_hash()
+                    session_hash_verified = session_hash and constant_time_compare(
+                        session_hash, user.get_session_auth_hash()
+                    )
+                if not session_hash_verified:
+                    # If the current secret does not verify the session, try
+                    # with the fallback secrets and stop when a matching one is
+                    # found.
+                    if session_hash and any(
+                        constant_time_compare(session_hash, fallback_auth_hash)
+                        for fallback_auth_hash in user.get_session_auth_fallback_hash()
+                    ):
+                        await request.session.acycle_key()
+                        await request.session.aset(HASH_SESSION_KEY, session_auth_hash)
+                    else:
+                        await request.session.aflush()
+                        user = None
+
+    return user or AnonymousUser()
 
 
 def get_permission_codename(action, opts):