After implementing DRF authtoken app, I deleted my previous superuser (because it did not have an auth token) and created a new one. Looking at the database, I see that the new superuser has an entry in authtoken_token table. It also has is_admin, is_staff, and is_superuser set to True. is_active is set to False but this was also set to False in the previous superuser and loging in to admin was not a problem.
When I enter credentials in admin page with is_active=False, it says:
"Please enter the correct email and password for a staff account. Note that both fields may be case-sensitive."
Before setting is_active=True, some answers from other SO questions I tried:
- I made sure I'm not setting SESSION_COOKIE_SECURE = True. I'm not using this setting in dev environment anyways.
- When I check the database, django_session table is there. When I try to authenticate, I do not see a new entry being created.
- I do create my superuser via python manage.py createsuperuser command, same as I did before.
- I also tried to change superuser pw via python manage.py changepassword .
- My db is synced, I checked the tables after deleting and creating a new superuser and they are properly updated.
These steps did not change anything. Then I set is_active=True for the new superuser, and I was finally able to login. But why? Before DRF token authentication, my inactive superuser could login to admin. Now, it cannot, it should be active to login. What does this have to do with token authentication? (So my problem is solved, but I'm wondering how django and drf works behind the doors.)