From 526b548cfb9c8a02ea2b7ae064ef3b795305d51a Mon Sep 17 00:00:00 2001
From: KANIN KEARPIMY <jamesk@KANINs-MacBook-Air.local>
Date: Tue, 31 Mar 2026 22:56:13 +0700
Subject: Fixed #36542 -- Marked authenticate() with @sensitive_variables()
 decorator.

Thanks Olivier Dalang, Tim McCurrach, Sarah Boyce, and Mar Bartolome for reviews.
---
 tests/auth_tests/models/custom_user.py | 14 +++++++++++++
 tests/auth_tests/test_auth_backends.py | 36 ++++++++++++++++++++++++++++++++++
 2 files changed, 50 insertions(+)

(limited to 'tests')

diff --git a/tests/auth_tests/models/custom_user.py b/tests/auth_tests/models/custom_user.py
index dac61f8e68..29dc42f645 100644
--- a/tests/auth_tests/models/custom_user.py
+++ b/tests/auth_tests/models/custom_user.py
@@ -143,3 +143,17 @@ with RemoveGroupsAndPermissions():
         custom_objects = UserManager()
 
         REQUIRED_FIELDS = AbstractUser.REQUIRED_FIELDS + ["date_of_birth"]
+
+
+class ErrorUserManager(BaseUserManager):
+    def get_by_natural_key(self, _):
+        raise TypeError
+
+    async def aget_by_natural_key(self, _):
+        raise TypeError
+
+
+with RemoveGroupsAndPermissions():
+
+    class ErrorAdminUser(AbstractUser):
+        custom_objects = ErrorUserManager()
diff --git a/tests/auth_tests/test_auth_backends.py b/tests/auth_tests/test_auth_backends.py
index 3ea6ff6a69..77eeed3d60 100644
--- a/tests/auth_tests/test_auth_backends.py
+++ b/tests/auth_tests/test_auth_backends.py
@@ -1146,6 +1146,42 @@ class AuthenticateTests(TestCase):
             status_code=500,
         )
 
+    @override_settings(AUTH_USER_MODEL="auth_tests.ErrorAdminUser")
+    def test_model_backend_authenticate_sensitive_variables(self):
+        try:
+            authenticate(username="testusername", password=self.sensitive_password)
+        except TypeError:
+            exc_info = sys.exc_info()
+        rf = RequestFactory()
+        response = technical_500_response(rf.get("/"), *exc_info)
+        self.assertNotContains(response, self.sensitive_password, status_code=500)
+        self.assertContains(
+            response,
+            '<tr><td>password</td><td class="code">'
+            "<pre>&#39;********************&#39;</pre></td></tr>",
+            html=True,
+            status_code=500,
+        )
+
+    @override_settings(AUTH_USER_MODEL="auth_tests.ErrorAdminUser")
+    async def test_model_backend_async_authenticate_sensitive_variables(self):
+        try:
+            await aauthenticate(
+                username="testusername", password=self.sensitive_password
+            )
+        except TypeError:
+            exc_info = sys.exc_info()
+        rf = RequestFactory()
+        response = technical_500_response(rf.get("/"), *exc_info)
+        self.assertNotContains(response, self.sensitive_password, status_code=500)
+        self.assertContains(
+            response,
+            '<tr><td>password</td><td class="code">'
+            "<pre>&#39;********************&#39;</pre></td></tr>",
+            html=True,
+            status_code=500,
+        )
+
     def test_clean_credentials_sensitive_variables(self):
         try:
             # Passing in a list to cause an exception
-- 
cgit v1.3