typing: Add assertions for authentication.

Signed-off-by: Zixuan James Li <359101898@qq.com>

zerver/forms.py

@@ -273,6 +273,7 @@ class LoggingSetPasswordForm(SetPasswordForm):
         return new_password
 
     def save(self, commit: bool = True) -> UserProfile:
+        assert isinstance(self.user, UserProfile)
         do_change_password(self.user, self.cleaned_data["new_password1"], commit=commit)
         return self.user
 

zerver/tests/test_auth_backends.py

@@ -753,13 +753,16 @@ class RateLimitAuthenticationTests(ZulipTestCase):
         def attempt_authentication(
             request: HttpRequest, username: str, password: str
         ) -> Optional[UserProfile]:
-            return authenticate(
+            user = authenticate(
                 request=request,
                 username=username,
                 realm=get_realm("zulip"),
                 password=password,
                 return_data={},
             )
+            if user is not None:
+                assert isinstance(user, UserProfile)
+            return user
 
         self.do_test_auth_rate_limiting(
             attempt_authentication,

zerver/views/auth.py

@@ -431,6 +431,8 @@ def remote_user_sso(
         user_profile = None
     else:
         user_profile = authenticate(remote_user=remote_user, realm=realm)
+    if user_profile is not None:
+        assert isinstance(user_profile, UserProfile)
 
     email = remote_user_to_email(remote_user)
     data_dict = ExternalAuthDataDict(
@@ -486,6 +488,7 @@ def remote_user_jwt(request: HttpRequest) -> HttpResponse:
             data_dict={"email": email, "full_name": remote_user, "subdomain": realm.subdomain}
         )
     else:
+        assert isinstance(user_profile, UserProfile)
         result = ExternalAuthResult(user_profile=user_profile)
 
     return login_or_register_remote_user(request, result)
@@ -895,6 +898,7 @@ def api_fetch_api_key(
     email_on_new_login(sender=user_profile.__class__, request=request, user=user_profile)
 
     # Mark this request as having a logged-in user for our server logs.
+    assert isinstance(user_profile, UserProfile)
     process_client(request, user_profile)
     RequestNotes.get_notes(request).requestor_for_logs = user_profile.format_requestor_for_logs()
 

zerver/views/development/dev_login.py

@@ -86,6 +86,7 @@ def dev_direct_login(
     user_profile = authenticate(dev_auth_username=email, realm=realm)
     if user_profile is None:
         return config_error(request, "dev")
+    assert isinstance(user_profile, UserProfile)
     do_login(request, user_profile)
 
     redirect_to = get_safe_redirect_to(next, user_profile.realm.uri)
@@ -130,7 +131,7 @@ def api_dev_fetch_api_key(request: HttpRequest, username: str = REQ()) -> HttpRe
         # is when one's attempting to send an email address that
         # doesn't have an account, i.e. it's definitely invalid username.
         raise AuthenticationFailedError()
-    assert user_profile is not None
+    assert isinstance(user_profile, UserProfile)
 
     do_login(request, user_profile)
     api_key = get_api_key(user_profile)

zerver/views/registration.py

@@ -383,7 +383,7 @@ def accounts_register(
             # prereg_user.realm_creation carries the information about whether
             # we're in realm creation mode, and the ldap flow will handle
             # that and create the user with the appropriate parameters.
-            user_profile = authenticate(
+            user = authenticate(
                 request=request,
                 username=email,
                 password=password,
@@ -391,7 +391,7 @@ def accounts_register(
                 prereg_user=prereg_user,
                 return_data=return_data,
             )
-            if user_profile is None:
+            if user is None:
                 can_use_different_backend = email_auth_enabled(realm) or (
                     len(get_external_method_dicts(realm)) > 0
                 )
@@ -419,13 +419,14 @@ def accounts_register(
                     query = urlencode({"email": email})
                     redirect_url = append_url_query_string(view_url, query)
                     return HttpResponseRedirect(redirect_url)
-            elif not realm_creation:
-                # Since we'll have created a user, we now just log them in.
-                return login_and_go_to_home(request, user_profile)
             else:
+                assert isinstance(user, UserProfile)
+                user_profile = user
+                if not realm_creation:
+                    # Since we'll have created a user, we now just log them in.
+                    return login_and_go_to_home(request, user_profile)
                 # With realm_creation=True, we're going to return further down,
                 # after finishing up the creation process.
-                pass
 
         if existing_user_profile is not None and existing_user_profile.is_mirror_dummy:
             user_profile = existing_user_profile
@@ -485,6 +486,7 @@ def accounts_register(
             )
             return redirect("/")
 
+        assert isinstance(auth_result, UserProfile)
         return login_and_go_to_home(request, auth_result)
 
     return render(

zproject/backends.py

@@ -1335,9 +1335,10 @@ class ExternalAuthResult:
         # more customized error messages for those unlikely races, but
         # it's likely not worth implementing.
         realm = get_realm(data["subdomain"])
-        self.user_profile = authenticate(
-            username=data["email"], realm=realm, use_dummy_backend=True
-        )
+        auth_result = authenticate(username=data["email"], realm=realm, use_dummy_backend=True)
+        if auth_result is not None:
+            assert isinstance(auth_result, UserProfile)
+        self.user_profile = auth_result
 
     class InvalidTokenError(Exception):
         pass