brutasse / django-password-reset Goto Github PK
View Code? Open in Web Editor NEWClass-based views for password reset
Home Page: https://django-password-reset.readthedocs.io
License: BSD 3-Clause "New" or "Revised" License
Class-based views for password reset
Home Page: https://django-password-reset.readthedocs.io
License: BSD 3-Clause "New" or "Revised" License
When filling in the username/email field, if the specified user doesn't exist, then it will respond with "Sorry, this user doesn't exist." allowing would-be attackers to discover usernames and email addresses within the system using brute-force methods.
Ideally, this would be an option that could be set, with the default being that it would respond the same way it responds when a user types in a correct username or email.
I recently needed to send a user a reset email programmatically without going through the form request/response cycle. I ended up hacking together a function that generates a token/url but it'd be nice if there was a "blessed" way to do this from within the library.
This is what I came up with, is there a better way to do this and/or could I submit a patch with similar functionality?
from password_reset.views import SaltMixin
from django.core import signing
def get_password_reset_url(user):
token = signing.dumps(user.pk, SaltMixin.salt)
return reverse(
'password_reset_reset',
args=[token]
)
i want use customized template for password recovery
i use
url(r"^accounts/password",include("password_reset.urls"),
but i can't pass email_template_name for text of recovery to this line
{email_template_name:"register/recovery_mail.txt"}
not working
After entering the email on '/password_reset/recover/', it is not redirected. Instead same recovery page is shown!
Similar to #26: it would help me if there was an explanation for how this project differs from django-registration. Is this designed for sites where users shouldn't be able to register themselves, but should still be able to reset their passwords?
Currently, the error messages displayed to the user ("Sorry, this user doesn't exist.", "The two passwords didn't match.", etc.) are hard-coded inside the forms' logic. It would be preferable to be able to easily customise these messages on subclasses, and/or with config settings.
Hello,
Will you update your library for many changes in the latest Django?
File "/usr/local/lib/python3.10/dist-packages/password_reset/urls.py", line 1, in <module>
from django.conf.urls import url
ImportError: cannot import name 'url' from 'django.conf.urls' (/usr/local/lib/python3.10/dist-packages/django/conf/urls/__init__.py)
Thanks
By changing lines 51 to:
case_sensitive = getattr(settings, 'CASE_SENSITIVE_RESET', True)
and line 108 to:
token_expires = getattr(settings, 'PASSWORD_TOKEN_EXPIRATION', 3600 * 48) # Two days
You will allow users a better way to configure your application.
/mysite/mysite/settings.py:
add 'password_reset' to INSTALLED_APPS
add email setting as follows:
EMAIL_HOST = 'smtp.qq.com'
EMAIL_HOST_USER = '@qq.com'
EMAIL_HOST_PASSWORD = '' EMAIL_PORT = 587
EMAIL_USE_TLS = True
DEFAULT_FROM_EMAIL = '*****@qq.com'
EMAIL_BACKEND = 'django.core.mail.backends.console.EmailBackend'
copy directory "python3.7/site-packages/password_reset/templates/password_reset " to my directory "DjangoTest/mysite/templates" of my project named mysite
/mysite/urls.py:
add "path('pwd_reset/', include(('password_reset.urls', 'pwd_reset'), namespace='pwd_reset'))," to urlpatterns
http://127.0.0.1:8000/pwd_reset/recover/ is OK, but when input user, and click "Recover My Password", get fault web as attach file
NoReverseMatch at pwd_reset_recover.zip
Hi,
I think I implemented the library correctly:
settings.py:
INSTALLED_APPS = [
'django.contrib.admin',
'django.contrib.auth',
'django.contrib.contenttypes',
'django.contrib.sessions',
'django.contrib.messages',
'django.contrib.staticfiles',
'app10minmentors',
'password_reset',
]
urls.py:
url(r'^password_reset/',include('password_reset.urls',namespace="password_reset")),
signin.html
{% block content %}
Sign in »
</form>
<p align = Center ><a href="{% url "password_reset:password_reset_recover" %}">Forgot Password </a></p>
{% endblock content %}
but when I click on 'Forgot Password' I can see a blank screen... Any Idea? Thanks in advance
https://github.com/brutasse/django-password-reset/blob/master/password_reset/views.py#L19L20
What about something like:
from django.conf import settings
class SaltMixin(object):
salt = '%spassword_recovery' % settings.SECRET_KEY
url_salt = '%spassword_recovery_url' % settings.SECRET_KEY
from django.conf.urls import url (deprecated in Django 4.0)
I use re_path the urls to solve this
But also it throw an error on: from django.utils.translation import gettext_lazy as _
ugettext_lazy (has been removed in Django 4.0)
use : from django.utils.translation import gettext_lazy as _
When you done this its giving an error:
user_recovers_password = Signal(
TypeError: init() got an unexpected keyword argument 'providing_args'
The PasswordResetForm should take a commit argument so that the class is extensible.
Hi, i implemented in my django 1.10 and python 3 project, and when a click the URL that i received by email, it doesnt show me nothing, its a blank form, can i get some help please
Reverse for 'password_reset_recover' with arguments '()' amd keyword arguments '{}' not found. 0 pattern(s) tried.
Right now there's only a github release: https://github.com/brutasse/django-password-reset/releases/tag/3.0.0
But, not a PyPI release: https://pypi.org/project/django-password-reset/#history
hi, @brutasse
I met a problem, and could not find an answer through google or the docs, so that I've to disturb you.
Django: 1.10.1
Python: 3.5.2
When a user tries to reset password, it throws exception:
NoReverseMatch at /pwd_reset/recover/
Reverse for 'password_reset_reset' with arguments '('NQ:1dYOiG:BKXR_HhymHf7uYTnlDcPHioITOY',)' and keyword arguments '{}' not found. 0 pattern(s) tried: []
Request Method: POST
Request URL: http://127.0.0.1:8000/pwd_reset/recover/
Django Version: 1.10.1
Exception Type: NoReverseMatch
Exception Value:
Reverse for 'password_reset_reset' with arguments '('NQ:1dYOiG:BKXR_HhymHf7uYTnlDcPHioITOY',)' and keyword arguments '{}' not found. 0 pattern(s) tried: []
Exception Location: /home/vagrant/.pyenv/versions/venv-3.5.2/lib/python3.5/site-packages/django/urls/resolvers.py in _reverse_with_prefix, line 392
Python Executable: /home/vagrant/.pyenv/versions/venv-3.5.2/bin/python
Python Version: 3.5.2
Python Path:
['/home/vagrant/codes/django_test/mysite',
'/home/vagrant/codes/django_test/mysite',
'/home/vagrant/.pyenv/versions/3.5.2/lib/python35.zip',
'/home/vagrant/.pyenv/versions/3.5.2/lib/python3.5',
'/home/vagrant/.pyenv/versions/3.5.2/lib/python3.5/plat-linux',
'/home/vagrant/.pyenv/versions/3.5.2/lib/python3.5/lib-dynload',
'/home/vagrant/.pyenv/versions/venv-3.5.2/lib/python3.5/site-packages']
Server time: Fri, 21 Jul 2017 03:34:48 +0000
Error during template rendering
In template /home/vagrant/codes/django_test/mysite/templates/password_reset/recovery_email.txt, error at line 7
Reverse for 'password_reset_reset' with arguments '('NQ:1dYOiG:BKXR_HhymHf7uYTnlDcPHioITOY',)' and keyword arguments '{}' not found. 0 pattern(s) tried: []
1 {% load i18n %}{% blocktrans %}Dear {{ username }},{% endblocktrans %}
2
3 {% blocktrans with domain=site.domain %}You -- or someone pretending to be you -- has requested a password reset on {{ domain }}.{% endblocktrans %}
4
5 {% trans "You can set your new password by following this link:" %}
6
7 http{% if secure %}s{% endif %}://{{ site.domain }}{% url "password_reset_reset" token %}
8
9 {% trans "If you don't want to reset your password, simply ignore this email and it will stay unchanged." %}
10
The red words: {% url "password_reset_reset" token %}
codes:
settings.py:
INSTALLED_APPS = [
'django.contrib.admin',
'django.contrib.auth',
'django.contrib.contenttypes',
'django.contrib.sessions',
'django.contrib.messages',
'django.contrib.staticfiles',
'blog',
'account',
'password_reset',
]
urls.py
from django.conf.urls import url, include
from django.contrib import admin
urlpatterns = [
url(r'^admin/', admin.site.urls),
url(r'^blog/', include('blog.urls', namespace='blog', app_name='blog')),
url(r'^account/', include('account.urls', namespace='account', app_name='account')),
url(r'^pwd_reset/', include('password_reset.urls', namespace='pwd_reset', app_name='pwd_reset')),
]
I followed the documentation and wrote the codes above in the project's root settings and urls file.
When I visited the url http://127.0.0.1:8000/pwd_reset/recover/ and submitted a username, then an exception came.
Thank you!
Right now it is not possible to configure success_url for Recover view. It would be nice if it would be possible just like Reset view.
Since reset_sent url needs signature parameters, then Recover could use success_url_name (instead of just success_url) which will default to 'password_reset_sent', and then get_success_url method could be:
def get_success_url(self):
return reverse(self.success_url_name, args=[self.mail_signature])
from django.core.urlresolvers import reverse, reverse_lazy
What's the difference with django's contrib auth password_reset and this project?
Seems to be similar features. If there is a difference probably should document what they are and why this should be used vs the django one.
Hi,
as can i test on my installation, after changing my password with the e-mail link, i can till change again the password using the same link.
Since username is publicly available and some users just "try" to recover passwords of other users, is there a way I could reset by email only?
If you go to /password/recover/ and enter a valid username, it redirects to /password/recover//. If you enter an invalid username then it redirects to /password/recover/IiI/, which decodes to an empty string.
This is insecure because it allows a third-party to test for username validity (and obtain previously unknown email addresses) by attempting to reset the passwords. It should not in anyway expose:
There is no limit on the number of times the plug-in resets the password. You can reset it multiple times. You should add time and number restrictions.
If the reset password link address is leaked, it may cause security incidents.
Looks like the exception in https://github.com/brutasse/django-password-reset/blob/master/password_reset/views.py#L139 is thrown before Reset.user
is assigned and results in a call to Reset.get_form_kwargs
that tries to access Reset.user
.
Exception details:
AttributeError: 'Reset' object has no attribute 'user'
File "django/core/handlers/base.py", line 149, in get_response
response = self.process_exception_by_middleware(e, request)
File "django/core/handlers/base.py", line 147, in get_response
response = wrapped_callback(request, *callback_args, **callback_kwargs)
File "django/views/generic/base.py", line 68, in view
return self.dispatch(request, *args, **kwargs)
File "password_reset/views.py", line 132, in dispatch
return self.invalid()
File "password_reset/views.py", line 138, in invalid
return self.render_to_response(self.get_context_data(invalid=True))
File "password_reset/views.py", line 146, in get_context_data
ctx = super(Reset, self).get_context_data(**kwargs)
File "django/views/generic/edit.py", line 122, in get_context_data
kwargs['form'] = self.get_form()
File "django/views/generic/edit.py", line 74, in get_form
return form_class(**self.get_form_kwargs())
File "password_reset/views.py", line 142, in get_form_kwargs
kwargs['user'] = self.user
I tried use it on Django 1.10.2 with python 3.5.
It's not working when i use namespace in my root url. For example :
url(r'^my_apps/', include('my_apps.urls',namespace='app1')),
So I must add in templates like this, for example :
{% url 'app1:password_reset_reset' %}
for each template file.
and in view.py file as well which contains url.
There is a problem with the urls when using in Django 1.8 . Adding password_reset nasmespace to the urls fixs it: {% url "password_reset:password_reset_reset" token %}
I just installed the app for my project and i am figuring out how it works, but can't render a custom template and i keep getting template does not exist 'base.html'
It'd be good to support password-validation added in Django 1.9.
It's currently possible to reset passwords to one char (e.g. a
), common passwords (e.g. abc123
), and the username (e.g. username admin
and password admin
). Password validators could prevent this.
This is a difference with the builtin django.contrib.auth
password reset on 1.9 (refs: #26).
Hi guys,
I was debugging some issues I'm having with django-password-reset
and noticed that the RecoverDone
view makes a call to loads_with_timestamp
function defined right above it: https://github.com/brutasse/django-password-reset/blob/0.7/password_reset/views.py#L24
The docstring states that the function should return the unsigned value along with its timestamp, but there's a try/except in case signing.SignatureExpired
exception doesn't occur, None
would be returned which means that the view will fail returning a TypeError
exception because it would be trying to iterate over None
to assign timestamp
and email
in the context.
Thought that there might be some inconsistency there.
Hi, brutasse.
I wrote a gettext translation of your app in Italian language. I attach them.
Greetings
it.zip
Hi, I created the next folder in my django project for customise the templates, but it doesn't work.
password_reset
templates
password_reset
base.html
....
How can I customise the html templates from my django project?
Thanks.
Hi there,
I was trying to use django-password-reset with my custom user model, which uses the email as username, thus I don't have an username field. Here is a part of my custom model:
class MyUser(AbstractBaseUser, PermissionsMixin):
email = models.EmailField(max_length=255, unique=True)
USERNAME_FIELD = 'email'
But it fails due to this:
https://github.com/brutasse/django-password-reset/blob/master/password_reset/views.py#L136
Am I missing something? Should it work even not having username on my model?
It seems a lot of work has been done since 0.7 was released. Can you release a new version onto PyPi, so it can easily be included in a requirements.txt file?
How to insert the urls in url.py file?
As far as I can tell, password reset links aren't invalidated or expired after they are used:
The reset token is equivalent to a password since it allows anyone who knows it to set a new password. Invalidating the reset token after it is used limits the duration of its validity, which is particularly important for long expiration windows like the 2 day default for this package.
Of course, by all means, once a user's password has been reset, the randomly-generated token should no longer be valid.
https://www.owasp.org/index.php/Forgot_Password_Cheat_Sheet#Step_3.29_Send_a_Token_Over_a_Side-Channel (end of paragraph)
My unit tests for my Django 1.8.5 project are generating the following warning:
django.utils.deprecation.RemovedInDjango19Warning: Model class django.contrib.sites.models.Site doesn't declare an explicit app_label and either isn't in an application in INSTALLED_APPS or else was imported before its application was loaded. This will no longer be supported in Django 1.9.
If I turn deprecation warnings into errors, here's the call stack.
File "/Users/josh/src/workdir/project/events/tests/test_views_register.py", line 84, in test_without_contact_address
response = self.client.get(reverse('events:register_payment', args=(self.order.pk,)))
File "/Users/josh/src/workdir/env/lib/python3.4/site-packages/django/core/urlresolvers.py", line 549, in reverse
app_list = resolver.app_dict[ns]
File "/Users/josh/src/workdir/env/lib/python3.4/site-packages/django/core/urlresolvers.py", line 351, in app_dict
self._populate()
File "/Users/josh/src/workdir/env/lib/python3.4/site-packages/django/core/urlresolvers.py", line 284, in _populate
for pattern in reversed(self.url_patterns):
File "/Users/josh/src/workdir/env/lib/python3.4/site-packages/django/core/urlresolvers.py", line 401, in url_patterns
patterns = getattr(self.urlconf_module, "urlpatterns", self.urlconf_module)
File "/Users/josh/src/workdir/env/lib/python3.4/site-packages/django/core/urlresolvers.py", line 395, in urlconf_module
self._urlconf_module = import_module(self.urlconf_name)
File "/Users/josh/src/workdir/env/lib/python3.4/importlib/__init__.py", line 109, in import_module
return _bootstrap._gcd_import(name[level:], package, level)
File "<frozen importlib._bootstrap>", line 2254, in _gcd_import
File "<frozen importlib._bootstrap>", line 2237, in _find_and_load
File "<frozen importlib._bootstrap>", line 2226, in _find_and_load_unlocked
File "<frozen importlib._bootstrap>", line 1200, in _load_unlocked
File "<frozen importlib._bootstrap>", line 1129, in _exec
File "<frozen importlib._bootstrap>", line 1471, in exec_module
File "<frozen importlib._bootstrap>", line 321, in _call_with_frames_removed
File "/Users/josh/src/workdir/project/project/urls.py", line 8, in <module>
import password_reset.urls
File "/Users/josh/src/workdir/env/lib/python3.4/site-packages/password_reset/urls.py", line 3, in <module>
from . import views
File "/Users/josh/src/workdir/env/lib/python3.4/site-packages/password_reset/views.py", line 4, in <module>
from django.contrib.sites.models import Site
File "/Users/josh/src/workdir/env/lib/python3.4/site-packages/django/contrib/sites/models.py", line 78, in <module>
class Site(models.Model):
File "/Users/josh/src/workdir/env/lib/python3.4/site-packages/django/db/models/base.py", line 116, in __new__
warnings.warn(msg, RemovedInDjango19Warning, stacklevel=2)
django.utils.deprecation.RemovedInDjango19Warning: Model class django.contrib.sites.models.Site doesn't declare an explicit app_label and either isn't in an application in INSTALLED_APPS or else was imported before its application was loaded. This will no longer be supported in Django 1.9.
If I understand correctly, although django-password-reset 0.8 improved functionality for when the sites framework isn't being used, it looks like simply importing Site is enough to trigger the warning. I can think of a couple of possible solutions:
Site
import, and change get_site
to import it locally.INSTALLED_APPS
before importing Site
. I noticed that raven-python does this, and it seems like a good solution.Does either of these approaches sound good? If so, I'll submit a PR.
Apart from the content on the /templates/password_reset/base.html, nothing else shows up on the url generated by {% url "password_reset_recover" %}
I was expecting a form with a field form email.
Am I missing something here?
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.