Django: How to override authenticate() method?

Question

I use custom User, and I have an email_verified field for this user. I\'d like when a user sign in, to be rejected if this field is false.

Answer 1

Please refer to Django Doc: Writing an authentication backend, it's probably what you're after. It covers both your use case on normal login and REST APIs like token authentication:

The authenticate method takes credentials as keyword arguments. 
Most of the time, it’ll just look like this:

class MyBackend(object):
    def authenticate(self, username=None, password=None):
        # Check the username/password and return a User.
        ...
But it could also authenticate a token, like so:

class MyBackend(object):
    def authenticate(self, token=None):
        # Check the token and return a User.
        ...
Either way, authenticate should check the credentials it gets, 
and it should return a User object that matches those credentials, 
if the credentials are valid. If they’re not valid, it should return None.

Once you have written your custom auth backend, you just need to change your default auth backend in your settings.py like this:

AUTHENTICATION_BACKENDS = ('project.path.to.MyBackend',)

Update

Rather than overriding the default authenticate behaviour, you can just include both Backends in your settings, like:

AUTHENTICATION_BACKENDS = ('project.path.to.MyBackend',
                           'django.contrib.auth.backends.ModelBackend',)

The order of the Backends matters, you can read the source code and have a better understanding how the default authenticate and things work together (Read here)

AFAIK this is the preferred way to customise authenticate, as you may one day change your default Backend to something like RemoteUserBackend or whatever (like from RestFramework) and so you can just place your logic (MyBackend) by order in your settings and no need to worry about breaking the code.

Hope this helps.