Skip to main content

An extension of django ninja framework, providing a configurable password reset strategy

Project description

Django Rest Password Reset

PyPI version build-and-test actions status Codecov

This python package provides a simple password reset strategy for django rest framework, where users can request password reset tokens via their registered e-mail address.

The main idea behind this package is to not make any assumptions about how the token is delivered to the end-user (e-mail, text-message, etc...). Instead, this package provides a signal that can be reacted on (e.g., by sending an e-mail or a text message).

This package basically provides two REST endpoints:

  • Request a token
  • Verify (confirm) a token (and change the password)

Quickstart

  1. Install the package from pypi using pip:
pip install django-ninja-passwordreset
  1. Add django_rest_passwordreset to your INSTALLED_APPS (after rest_framework) within your Django settings file:
INSTALLED_APPS = (
    ...
    'django.contrib.auth',
    ...
    'ninja_extra',
    ...
    'django_rest_passwordreset',
    ...
)
  1. This package stores tokens in a separate database table (see django_rest_passwordreset/models.py). Therefore, you have to run django migrations:
python manage.py migrate
  1. This package provides three endpoints, which can be included by including django_rest_passwordreset.urls in your urls.py as follows:
from django.urls import path
from ninja_extra import NinjaExtraAPI
from django_rest_passwordreset.controller import ResetPasswordController

api = NinjaExtraAPI(urls_namespace='password_test')
api.register_controllers(ResetPasswordController)

urlpatterns = [
    ...,
    path(r'^api/', api.urls),
    ...
]

Note: You can adapt the URL to your needs.

Endpoints

The following endpoints are provided:

  • POST ${API_URL}/ - request a reset password token by using the email parameter
  • POST ${API_URL}/confirm/ - using a valid token, the users password is set to the provided password
  • POST ${API_URL}/validate_token/ - will return a 200 if a given token is valid

where ${API_URL}/ is the url specified in your urls.py (e.g., api/password_reset/ as in the example above)

Signals

  • reset_password_token_created(sender, instance, reset_password_token) Fired when a reset password token is generated
  • pre_password_reset(sender, user) - fired just before a password is being reset
  • post_password_reset(sender, user) - fired after a password has been reset

Example for sending an e-mail

  1. Create two new django templates: email/user_reset_password.html and email/user_reset_password.txt. Those templates will contain the e-mail message sent to the user, aswell as the password reset link (or token). Within the templates, you can access the following context variables: current_user, username, email, reset_password_url. Feel free to adapt this to your needs.

  2. Add the following code, which contains a Django Signal Receiver (@receiver(...)), to your application. Take care where to put this code, as it needs to be executed by the python interpreter (see the section The reset_password_token_created signal is not fired below, aswell as this part of the django documentation and How to Create Django Signals Tutorial for more information).

from django.core.mail import EmailMultiAlternatives
from django.dispatch import receiver
from django.template.loader import render_to_string
from django.urls import reverse

from django_rest_passwordreset.signals import reset_password_token_created


@receiver(reset_password_token_created)
def password_reset_token_created(sender, instance, reset_password_token, *args, **kwargs):
    """
    Handles password reset tokens
    When a token is created, an e-mail needs to be sent to the user
    :param sender: View Class that sent the signal
    :param instance: View Instance that sent the signal
    :param reset_password_token: Token Model Object
    :param args:
    :param kwargs:
    :return:
    """
    # send an e-mail to the user
    context = {
        'current_user': reset_password_token.user,
        'username': reset_password_token.user.username,
        'email': reset_password_token.user.email,
        'reset_password_url': "{}?token={}".format(
            instance.request.build_absolute_uri(reverse('password_reset:reset-password-confirm')),
            reset_password_token.key)
    }

    # render email text
    email_html_message = render_to_string('email/user_reset_password.html', context)
    email_plaintext_message = render_to_string('email/user_reset_password.txt', context)

    msg = EmailMultiAlternatives(
        # title:
        "Password Reset for {title}".format(title="Some website title"),
        # message:
        email_plaintext_message,
        # from:
        "noreply@somehost.local",
        # to:
        [reset_password_token.user.email]
    )
    msg.attach_alternative(email_html_message, "text/html")
    msg.send()
  1. You should now be able to use the endpoints to request a password reset token via your e-mail address. If you want to test this locally, I recommend using some kind of fake mailserver (such as maildump).

Configuration / Settings

The following settings can be set in Django settings.py file:

  • DJANGO_REST_MULTITOKENAUTH_RESET_TOKEN_EXPIRY_TIME - time in hours about how long the token is active (Default: 24)

    Please note: expired tokens are automatically cleared based on this setting in every call of ResetPasswordRequestToken.post.

  • DJANGO_REST_PASSWORDRESET_NO_INFORMATION_LEAKAGE - will cause a 200 to be returned on POST ${API_URL}/reset_password/ even if the user doesn't exist in the databse (Default: False)

  • DJANGO_REST_MULTITOKENAUTH_REQUIRE_USABLE_PASSWORD - allows password reset for a user that does not have a usable password (Default: True)

Custom Email Lookup

By default, email lookup is used to find the user instance. You can change that by adding

DJANGO_REST_LOOKUP_FIELD = 'custom_email_field'

into Django settings.py file.

Custom Remote IP Address and User Agent Header Lookup

If your setup demands that the IP adress of the user is in another header (e.g., 'X-Forwarded-For'), you can configure that (using Django Request Headers):

DJANGO_REST_PASSWORDRESET_IP_ADDRESS_HEADER = 'HTTP_X_FORWARDED_FOR'

The same is true for the user agent:

HTTP_USER_AGENT_HEADER = 'HTTP_USER_AGENT'

Custom Token Generator

By default, a random string token of length 10 to 50 is generated using the RandomStringTokenGenerator class. This library offers a possibility to configure the params of RandomStringTokenGenerator as well as switch to another token generator, e.g. RandomNumberTokenGenerator. You can also generate your own token generator class.

You can change that by adding

DJANGO_REST_PASSWORDRESET_TOKEN_CONFIG = {
    "CLASS": ...,
    "OPTIONS": {...}
}

into Django settings.py file.

RandomStringTokenGenerator

This is the default configuration.

DJANGO_REST_PASSWORDRESET_TOKEN_CONFIG = {
    "CLASS": "django_rest_passwordreset.tokens.RandomStringTokenGenerator"
}

You can configure the length as follows:

DJANGO_REST_PASSWORDRESET_TOKEN_CONFIG = {
    "CLASS": "django_rest_passwordreset.tokens.RandomStringTokenGenerator",
    "OPTIONS": {
        "min_length": 20,
        "max_length": 30
    }
}

It uses os.urandom() to generate a good random string.

RandomNumberTokenGenerator

DJANGO_REST_PASSWORDRESET_TOKEN_CONFIG = {
    "CLASS": "django_rest_passwordreset.tokens.RandomNumberTokenGenerator"
}

You can configure the minimum and maximum number as follows:

DJANGO_REST_PASSWORDRESET_TOKEN_CONFIG = {
    "CLASS": "django_rest_passwordreset.tokens.RandomNumberTokenGenerator",
    "OPTIONS": {
        "min_number": 1500,
        "max_number": 9999
    }
}

It uses random.SystemRandom().randint() to generate a good random number.

Write your own Token Generator

Please see token_configuration/django_rest_passwordreset/tokens.py for example implementation of number and string token generator.

The basic idea is to create a new class that inherits from BaseTokenGenerator, takes arbitrary arguments (args and kwargs) in the __init__ function as well as implementing a generate_token function.

from django_rest_passwordreset.tokens import BaseTokenGenerator


class RandomStringTokenGenerator(BaseTokenGenerator):
    """
    Generates a random string with min and max length using os.urandom and binascii.hexlify
    """

    def __init__(self, min_length=10, max_length=50, *args, **kwargs):
        self.min_length = min_length
        self.max_length = max_length

    def generate_token(self, *args, **kwargs):
        """ generates a pseudo random code using os.urandom and binascii.hexlify """
        # determine the length based on min_length and max_length
        length = random.randint(self.min_length, self.max_length)

        # generate the token using os.urandom and hexlify
        return binascii.hexlify(
            os.urandom(self.max_length)
        ).decode()[0:length]

Known Issues / FAQ

Django 2.1 Migrations - Multiple Primary keys for table ...

Django 2.1 introduced a breaking change for migrations (see Django Issue #29790). We therefore had to rewrite the migration 0002_pk_migration.py such that it covers Django versions before (<) 2.1 and later (>=) 2.1.

Some information is written down in Issue #8.

The reset_password_token_created signal is not fired

You need to make sure that the code with @receiver(reset_password_token_created) is executed by the python interpreter. To ensure this, you have two options:

  1. Put the code at a place that is automatically loaded by Django (e.g., models.py, views.py), or

  2. Import the file that contains the signal within your app.py ready function:

some_app/signals.py

from django.core.mail import EmailMultiAlternatives
from django.dispatch import receiver
from django.template.loader import render_to_string
from django.urls import reverse

from django_rest_passwordreset.signals import reset_password_token_created


@receiver(reset_password_token_created)
def password_reset_token_created(sender, instance, reset_password_token, *args, **kwargs):
    # ...

some_app/app.py

from django.apps import AppConfig

class SomeAppConfig(AppConfig):
    name = 'your_django_project.some_app'
    verbose_name = 'Some App'

    def ready(self):
        import your_django_project.some_app.signals  # noqa

some_app/init.py

default_app_config = 'your_django_project.some_app.SomeAppConfig'

MongoDB not working

Apparently, the following piece of code in the Django Model prevents MongodB from working:

 id = models.AutoField( 
     primary_key=True 
 ) 

See issue #49 for details.

Contributions

This library tries to follow the unix philosophy of "do one thing and do it well" (which is providing a basic password reset endpoint for Django Rest Framework). Contributions are welcome in the form of pull requests and issues! If you create a pull request, please make sure that you are not introducing breaking changes.

Tests

See folder tests/. Basically, all endpoints are covered with multiple unit tests.

Use this code snippet to run tests:

make install
make test

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

django_ninja_passwordreset-1.2.5.tar.gz (209.9 kB view details)

Uploaded Source

Built Distribution

django_ninja_passwordreset-1.2.5-py3-none-any.whl (18.2 kB view details)

Uploaded Python 3

File details

Details for the file django_ninja_passwordreset-1.2.5.tar.gz.

File metadata

File hashes

Hashes for django_ninja_passwordreset-1.2.5.tar.gz
Algorithm Hash digest
SHA256 f32a39772a3456b82f0b21219f7f02b828314a43f756a882deea5d074364bdce
MD5 beceb2a506cc2c8215cc874176982be4
BLAKE2b-256 464851eee3dc3f3d5a644557bba73733227b347dbe2b373df144df6e940f14b9

See more details on using hashes here.

File details

Details for the file django_ninja_passwordreset-1.2.5-py3-none-any.whl.

File metadata

File hashes

Hashes for django_ninja_passwordreset-1.2.5-py3-none-any.whl
Algorithm Hash digest
SHA256 e61972407340a4e406b2ea8482e9ed1f63a5b7fd42c808ee87db5b7ac4eff879
MD5 49fc4ce69790f190d04f9b4d16a69906
BLAKE2b-256 1815a84b66d26890d48e84c1fb8659249f859e346deed0118e9a9a83d16bdc05

See more details on using hashes here.

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page