serializers fails to sanitize the email in the ResetPasswordRequestToken view

[JoueBien]

The route

`/rest-auth/password_reset/` 

is able to accept malformed emails. The sanitization doesn't strip leading or trailing spaces. This along with

DJANGO_REST_PASSWORDRESET_NO_INFORMATION_LEAKAGE = True

means that users can end up getting stuck with not getting a re-set email even if they entered in a seemingly valid email.

The change I would suggest is with ResetPasswordRequestToken@POST:

# this 
email = serializer.validated_data['email']
# should probably be this
email = serializer.validated_data['email'].strip()

There probably should be a regression test added to your test suite as well.

[nezhar]

Thanks for the detailed description :+1:, this is indeed something that can cause problems.

We intend to go ahead and use a custom lookup (https://github.com/anexia-it/django-rest-passwordreset/pull/93) field in future, so we don't necessary stick to email.

What I would suggest instead is to add an additional configuration:

DJANGO_REST_PASSWORDRESET_STRIP_LOOKUP_FIELD_INPUT = True

By defaulting it to False we should avoid any regressions. What do you think?

[JoueBien]

Yeah, I think that will work well along with keeping things with the existing default so we don't unexpectedly change the behaviour when people start a new project or run a deployment.