Should authenticating via DRF update User.last_login ?

[claresloggett]

I have an app set up to use DRF token authentication, and naively tried to use the User.last_login property, expecting it to represent the timestamp of the last token authentication. I found instead that it's None, as users who authenticate via DRF appear to not get this property updated.

I believe this is usually updated via the user_logged_in signal.

Would it be a good idea for DRF to generate this signal when a token is successfully requested?

[claresloggett]

I just found a previous issue for this which I somehow failed to find before: #3869

I have to disagree with the conclusion of that issue though - I would say that a requesting a token (by providing credentials) IS equivalent to a user login!

In the case of an SPA it's exactly equivalent. Even if I give the user direct API access or a CLI, and they authenticate to that sometimes instead of via my UI, I would consider that a login event also. Off the top of my head I can't think of any token authentication event that I would not consider a login event, although maybe others can suggest a counter use-case here.

Certainly as a DRF user I find the current behaviour more surprising than I would find the alternative. Right now my database thinks that front-end users have never logged in.

[auvipy]

there was a design decision issue hence the reluctance from the original creator. is the implementation detail too big or highly breaking for the current features in DRF?