Right now it is not possible to configure success_url for Recover view. It would be nice if it would be possible just like Reset view.

Since reset_sent url needs signature parameters, then Recover could use success_url_name (instead of just success_url) which will default to 'password_reset_sent', and then get_success_url method could be:

def get_success_url(self):
    return reverse(self.success_url_name, args=[self.mail_signature])

Hello,

Will you update your library for many changes in the latest Django?

  File "/usr/local/lib/python3.10/dist-packages/password_reset/urls.py", line 1, in <module>
    from django.conf.urls import url
ImportError: cannot import name 'url' from 'django.conf.urls' (/usr/local/lib/python3.10/dist-packages/django/conf/urls/__init__.py)

Thanks

After entering the email on '/password_reset/recover/', it is not redirected. Instead same recovery page is shown!

Hi, I created the next folder in my django project for customise the templates, but it doesn't work.

password_reset
templates
password_reset
base.html
....

How can I customise the html templates from my django project?

Thanks.

Looks like the exception in https://github.com/brutasse/django-password-reset/blob/master/password_reset/views.py#L139 is thrown before Reset.user is assigned and results in a call to Reset.get_form_kwargs that tries to access Reset.user.

Exception details:

AttributeError: 'Reset' object has no attribute 'user'
  File "django/core/handlers/base.py", line 149, in get_response
    response = self.process_exception_by_middleware(e, request)
  File "django/core/handlers/base.py", line 147, in get_response
    response = wrapped_callback(request, *callback_args, **callback_kwargs)
  File "django/views/generic/base.py", line 68, in view
    return self.dispatch(request, *args, **kwargs)
  File "password_reset/views.py", line 132, in dispatch
    return self.invalid()
  File "password_reset/views.py", line 138, in invalid
    return self.render_to_response(self.get_context_data(invalid=True))
  File "password_reset/views.py", line 146, in get_context_data
    ctx = super(Reset, self).get_context_data(**kwargs)
  File "django/views/generic/edit.py", line 122, in get_context_data
    kwargs['form'] = self.get_form()
  File "django/views/generic/edit.py", line 74, in get_form
    return form_class(**self.get_form_kwargs())
  File "password_reset/views.py", line 142, in get_form_kwargs
    kwargs['user'] = self.user

Hi,

I think I implemented the library correctly:
settings.py:
INSTALLED_APPS = [
'django.contrib.admin',
'django.contrib.auth',
'django.contrib.contenttypes',
'django.contrib.sessions',
'django.contrib.messages',
'django.contrib.staticfiles',
'app10minmentors',
'password_reset',
]
urls.py:
url(r'^password_reset/',include('password_reset.urls',namespace="password_reset")),
signin.html

{% block content %}

Sign In

Sign in »

    </form> 
	<p align = Center ><a href="{% url "password_reset:password_reset_recover" %}">Forgot Password </a></p> 

{% endblock content %}

but when I click on 'Forgot Password' I can see a blank screen... Any Idea? Thanks in advance

i want use customized template for password recovery
i use
url(r"^accounts/password",include("password_reset.urls"),

but i can't pass email_template_name for text of recovery to this line
{email_template_name:"register/recovery_mail.txt"}
not working

Hi, i implemented in my django 1.10 and python 3 project, and when a click the URL that i received by email, it doesnt show me nothing, its a blank form, can i get some help please

The PasswordResetForm should take a commit argument so that the class is extensible.

Currently, the error messages displayed to the user ("Sorry, this user doesn't exist.", "The two passwords didn't match.", etc.) are hard-coded inside the forms' logic. It would be preferable to be able to easily customise these messages on subclasses, and/or with config settings.

It'd be good to support password-validation added in Django 1.9.

It's currently possible to reset passwords to one char (e.g. a), common passwords (e.g. abc123), and the username (e.g. username admin and password admin). Password validators could prevent this.

This is a difference with the builtin django.contrib.auth password reset on 1.9 (refs: #26).

https://github.com/brutasse/django-password-reset/blob/master/password_reset/views.py#L19L20

What about something like:

from django.conf import settings


class SaltMixin(object):
    salt = '%spassword_recovery' % settings.SECRET_KEY
    url_salt = '%spassword_recovery_url' % settings.SECRET_KEY

I tried use it on Django 1.10.2 with python 3.5.

It's not working when i use namespace in my root url. For example :

 url(r'^my_apps/', include('my_apps.urls',namespace='app1')),

So I must add in templates like this, for example :

 {% url 'app1:password_reset_reset' %} 

for each template file.

and in view.py file as well which contains url.

Hi,

as can i test on my installation, after changing my password with the e-mail link, i can till change again the password using the same link.

hi, @brutasse

I met a problem, and could not find an answer through google or the docs, so that I've to disturb you.

Django: 1.10.1
Python: 3.5.2

When a user tries to reset password, it throws exception:

NoReverseMatch at /pwd_reset/recover/
Reverse for 'password_reset_reset' with arguments '('NQ:1dYOiG:BKXR_HhymHf7uYTnlDcPHioITOY',)' and keyword arguments '{}' not found. 0 pattern(s) tried: []

Request Method:	POST
Request URL:	http://127.0.0.1:8000/pwd_reset/recover/
Django Version:	1.10.1
Exception Type:	NoReverseMatch
Exception Value:	
Reverse for 'password_reset_reset' with arguments '('NQ:1dYOiG:BKXR_HhymHf7uYTnlDcPHioITOY',)' and keyword arguments '{}' not found. 0 pattern(s) tried: []
Exception Location:	/home/vagrant/.pyenv/versions/venv-3.5.2/lib/python3.5/site-packages/django/urls/resolvers.py in _reverse_with_prefix, line 392
Python Executable:	/home/vagrant/.pyenv/versions/venv-3.5.2/bin/python
Python Version:	3.5.2
Python Path:	
['/home/vagrant/codes/django_test/mysite',
 '/home/vagrant/codes/django_test/mysite',
 '/home/vagrant/.pyenv/versions/3.5.2/lib/python35.zip',
 '/home/vagrant/.pyenv/versions/3.5.2/lib/python3.5',
 '/home/vagrant/.pyenv/versions/3.5.2/lib/python3.5/plat-linux',
 '/home/vagrant/.pyenv/versions/3.5.2/lib/python3.5/lib-dynload',
 '/home/vagrant/.pyenv/versions/venv-3.5.2/lib/python3.5/site-packages']
Server time:	Fri, 21 Jul 2017 03:34:48 +0000

Error during template rendering

In template /home/vagrant/codes/django_test/mysite/templates/password_reset/recovery_email.txt, error at line 7
Reverse for 'password_reset_reset' with arguments '('NQ:1dYOiG:BKXR_HhymHf7uYTnlDcPHioITOY',)' and keyword arguments '{}' not found. 0 pattern(s) tried: []

1	{% load i18n %}{% blocktrans %}Dear {{ username }},{% endblocktrans %}
2	
3	{% blocktrans with domain=site.domain %}You -- or someone pretending to be you -- has requested a password reset on {{ domain }}.{% endblocktrans %}
4	
5	{% trans "You can set your new password by following this link:" %}
6	
7	http{% if secure %}s{% endif %}://{{ site.domain }}{% url "password_reset_reset" token %}
8	
9	{% trans "If you don't want to reset your password, simply ignore this email and it will stay unchanged." %}
10	

The red words: {% url "password_reset_reset" token %}

codes:

settings.py:

INSTALLED_APPS = [
    'django.contrib.admin',
    'django.contrib.auth',
    'django.contrib.contenttypes',
    'django.contrib.sessions',
    'django.contrib.messages',
    'django.contrib.staticfiles',
    'blog',
    'account',
    'password_reset',
]

urls.py

from django.conf.urls import url, include
from django.contrib import admin

urlpatterns = [
    url(r'^admin/', admin.site.urls),
    url(r'^blog/', include('blog.urls', namespace='blog', app_name='blog')),
    url(r'^account/', include('account.urls', namespace='account', app_name='account')),
    url(r'^pwd_reset/', include('password_reset.urls', namespace='pwd_reset', app_name='pwd_reset')),
]

I followed the documentation and wrote the codes above in the project's root settings and urls file.

When I visited the url http://127.0.0.1:8000/pwd_reset/recover/ and submitted a username, then an exception came.

Thank you!

Since username is publicly available and some users just "try" to recover passwords of other users, is there a way I could reset by email only?

from django.conf.urls import url (deprecated in Django 4.0)
I use re_path the urls to solve this
But also it throw an error on: from django.utils.translation import gettext_lazy as _
ugettext_lazy (has been removed in Django 4.0)
use : from django.utils.translation import gettext_lazy as _
When you done this its giving an error:
user_recovers_password = Signal(
TypeError: init() got an unexpected keyword argument 'providing_args'

What's the difference with django's contrib auth password_reset and this project?

Seems to be similar features. If there is a difference probably should document what they are and why this should be used vs the django one.

from django.core.urlresolvers import reverse, reverse_lazy

Hi, brutasse.

I wrote a gettext translation of your app in Italian language. I attach them.

Greetings
it.zip

Apart from the content on the /templates/password_reset/base.html, nothing else shows up on the url generated by {% url "password_reset_recover" %}

I was expecting a form with a field form email.

Am I missing something here?

When filling in the username/email field, if the specified user doesn't exist, then it will respond with "Sorry, this user doesn't exist." allowing would-be attackers to discover usernames and email addresses within the system using brute-force methods.

Ideally, this would be an option that could be set, with the default being that it would respond the same way it responds when a user types in a correct username or email.

If you go to /password/recover/ and enter a valid username, it redirects to /password/recover//. If you enter an invalid username then it redirects to /password/recover/IiI/, which decodes to an empty string.

This is insecure because it allows a third-party to test for username validity (and obtain previously unknown email addresses) by attempting to reset the passwords. It should not in anyway expose:

1. whether a username/email address is valid or not, or
2. return an email address for a valid username when the email address was not known previously.

My unit tests for my Django 1.8.5 project are generating the following warning:

django.utils.deprecation.RemovedInDjango19Warning: Model class django.contrib.sites.models.Site doesn't declare an explicit app_label and either isn't in an application in INSTALLED_APPS or else was imported before its application was loaded. This will no longer be supported in Django 1.9.

If I turn deprecation warnings into errors, here's the call stack.

  File "/Users/josh/src/workdir/project/events/tests/test_views_register.py", line 84, in test_without_contact_address
    response = self.client.get(reverse('events:register_payment', args=(self.order.pk,)))
  File "/Users/josh/src/workdir/env/lib/python3.4/site-packages/django/core/urlresolvers.py", line 549, in reverse
    app_list = resolver.app_dict[ns]
  File "/Users/josh/src/workdir/env/lib/python3.4/site-packages/django/core/urlresolvers.py", line 351, in app_dict
    self._populate()
  File "/Users/josh/src/workdir/env/lib/python3.4/site-packages/django/core/urlresolvers.py", line 284, in _populate
    for pattern in reversed(self.url_patterns):
  File "/Users/josh/src/workdir/env/lib/python3.4/site-packages/django/core/urlresolvers.py", line 401, in url_patterns
    patterns = getattr(self.urlconf_module, "urlpatterns", self.urlconf_module)
  File "/Users/josh/src/workdir/env/lib/python3.4/site-packages/django/core/urlresolvers.py", line 395, in urlconf_module
    self._urlconf_module = import_module(self.urlconf_name)
  File "/Users/josh/src/workdir/env/lib/python3.4/importlib/__init__.py", line 109, in import_module
    return _bootstrap._gcd_import(name[level:], package, level)
  File "<frozen importlib._bootstrap>", line 2254, in _gcd_import
  File "<frozen importlib._bootstrap>", line 2237, in _find_and_load
  File "<frozen importlib._bootstrap>", line 2226, in _find_and_load_unlocked
  File "<frozen importlib._bootstrap>", line 1200, in _load_unlocked
  File "<frozen importlib._bootstrap>", line 1129, in _exec
  File "<frozen importlib._bootstrap>", line 1471, in exec_module
  File "<frozen importlib._bootstrap>", line 321, in _call_with_frames_removed
  File "/Users/josh/src/workdir/project/project/urls.py", line 8, in <module>
    import password_reset.urls
  File "/Users/josh/src/workdir/env/lib/python3.4/site-packages/password_reset/urls.py", line 3, in <module>
    from . import views
  File "/Users/josh/src/workdir/env/lib/python3.4/site-packages/password_reset/views.py", line 4, in <module>
    from django.contrib.sites.models import Site
  File "/Users/josh/src/workdir/env/lib/python3.4/site-packages/django/contrib/sites/models.py", line 78, in <module>
    class Site(models.Model):
  File "/Users/josh/src/workdir/env/lib/python3.4/site-packages/django/db/models/base.py", line 116, in __new__
    warnings.warn(msg, RemovedInDjango19Warning, stacklevel=2)
django.utils.deprecation.RemovedInDjango19Warning: Model class django.contrib.sites.models.Site doesn't declare an explicit app_label and either isn't in an application in INSTALLED_APPS or else was imported before its application was loaded. This will no longer be supported in Django 1.9.

If I understand correctly, although django-password-reset 0.8 improved functionality for when the sites framework isn't being used, it looks like simply importing Site is enough to trigger the warning. I can think of a couple of possible solutions:

1. Remove the top-level Site import, and change get_site to import it locally.
2. Check INSTALLED_APPS before importing Site. I noticed that raven-python does this, and it seems like a good solution.

Does either of these approaches sound good? If so, I'll submit a PR.

How to insert the urls in url.py file?

As far as I can tell, password reset links aren't invalidated or expired after they are used:

The reset token is equivalent to a password since it allows anyone who knows it to set a new password. Invalidating the reset token after it is used limits the duration of its validity, which is particularly important for long expiration windows like the 2 day default for this package.

Of course, by all means, once a user's password has been reset, the randomly-generated token should no longer be valid.

https://www.owasp.org/index.php/Forgot_Password_Cheat_Sheet#Step_3.29_Send_a_Token_Over_a_Side-Channel (end of paragraph)

Hi there,

I was trying to use django-password-reset with my custom user model, which uses the email as username, thus I don't have an username field. Here is a part of my custom model:

class MyUser(AbstractBaseUser, PermissionsMixin):
    email = models.EmailField(max_length=255, unique=True)
    USERNAME_FIELD = 'email'

But it fails due to this:
https://github.com/brutasse/django-password-reset/blob/master/password_reset/views.py#L136

Am I missing something? Should it work even not having username on my model?

I recently needed to send a user a reset email programmatically without going through the form request/response cycle. I ended up hacking together a function that generates a token/url but it'd be nice if there was a "blessed" way to do this from within the library.

This is what I came up with, is there a better way to do this and/or could I submit a patch with similar functionality?

from password_reset.views import SaltMixin

from django.core import signing


def get_password_reset_url(user):
    token = signing.dumps(user.pk, SaltMixin.salt)
    
    return reverse(
        'password_reset_reset',
        args=[token]
    )

It seems a lot of work has been done since 0.7 was released. Can you release a new version onto PyPi, so it can easily be included in a requirements.txt file?

There is a problem with the urls when using in Django 1.8 . Adding password_reset nasmespace to the urls fixs it: {% url "password_reset:password_reset_reset" token %}

Hi guys,

I was debugging some issues I'm having with django-password-reset and noticed that the RecoverDone view makes a call to loads_with_timestamp function defined right above it: https://github.com/brutasse/django-password-reset/blob/0.7/password_reset/views.py#L24

The docstring states that the function should return the unsigned value along with its timestamp, but there's a try/except in case signing.SignatureExpired exception doesn't occur, None would be returned which means that the view will fail returning a TypeError exception because it would be trying to iterate over None to assign timestamp and email in the context.

Thought that there might be some inconsistency there.

Similar to #26: it would help me if there was an explanation for how this project differs from django-registration. Is this designed for sites where users shouldn't be able to register themselves, but should still be able to reset their passwords?

1. /mysite/mysite/settings.py:
   add 'password_reset' to INSTALLED_APPS
   add email setting as follows:
   EMAIL_HOST = 'smtp.qq.com'
   EMAIL_HOST_USER = '@qq.com'
   EMAIL_HOST_PASSWORD = '' EMAIL_PORT = 587
   EMAIL_USE_TLS = True
   DEFAULT_FROM_EMAIL = '*****@qq.com'
   EMAIL_BACKEND = 'django.core.mail.backends.console.EmailBackend'

2. copy directory "python3.7/site-packages/password_reset/templates/password_reset " to my directory "DjangoTest/mysite/templates" of my project named mysite

3. /mysite/urls.py:
   add "path('pwd_reset/', include(('password_reset.urls', 'pwd_reset'), namespace='pwd_reset'))," to urlpatterns

4. http://127.0.0.1:8000/pwd_reset/recover/ is OK, but when input user, and click "Recover My Password", get fault web as attach file
   NoReverseMatch at pwd_reset_recover.zip

I just installed the app for my project and i am figuring out how it works, but can't render a custom template and i keep getting template does not exist 'base.html'

Reverse for 'password_reset_recover' with arguments '()' amd keyword arguments '{}' not found. 0 pattern(s) tried.

By changing lines 51 to:

case_sensitive = getattr(settings, 'CASE_SENSITIVE_RESET', True)

and line 108 to:

token_expires = getattr(settings, 'PASSWORD_TOKEN_EXPIRATION', 3600 * 48) # Two days

You will allow users a better way to configure your application.

There is no limit on the number of times the plug-in resets the password. You can reset it multiple times. You should add time and number restrictions.
If the reset password link address is leaked, it may cause security incidents.