authn: make phone field optional (#72337)

src/authentic2/forms/authentication.py

@@ -44,6 +44,7 @@ class AuthenticationForm(auth_forms.AuthenticationForm):
     phone = PhoneField(
         label=_('Phone number'),
         help_text=_('Your mobile phone number if declared in your user account.'),
+        required=False,
     )
     password = PasswordField(label=_('Password'))
     remember_me = forms.BooleanField(
@@ -100,7 +101,11 @@ class AuthenticationForm(auth_forms.AuthenticationForm):
         username = self.cleaned_data.get('username')
         password = self.cleaned_data.get('password')
 
-        if app_settings.A2_ACCEPT_PHONE_AUTHENTICATION and get_user_model()._meta.get_field('phone'):
+        if (
+            app_settings.A2_ACCEPT_PHONE_AUTHENTICATION
+            and get_user_model()._meta.get_field('phone')
+            and not username
+        ):
             # Django's ModelBackend only understands a single field as 'username' identifier
             # for authentication purposes.  In authentic it is already used for authn using the
             # email address.  Below is the addition of the phone number as authn identifier.

tests/test_login.py

@@ -36,6 +36,15 @@ def test_success(db, app, simple_user):
     assert_event('user.logout', user=simple_user, session=session)
 
 
+def test_success_email_with_phone_authn_activated(db, app, simple_user, settings):
+    settings.A2_ACCEPT_PHONE_AUTHENTICATION = True
+    login(app, simple_user)
+    assert_event('user.login', user=simple_user, session=app.session, how='password-on-https')
+    session = app.session
+    app.get('/logout/').form.submit()
+    assert_event('user.logout', user=simple_user, session=session)
+
+
 def test_success_phone_authn_nomail_user(db, app, nomail_user, settings):
     settings.A2_ACCEPT_PHONE_AUTHENTICATION = True
     login(app, nomail_user, login='123456789', phone_authn=True)