django-rest-passwordreset icon indicating copy to clipboard operation
django-rest-passwordreset copied to clipboard

Published 20 hours ago verified publisher icon anexia-it

authentication_classes = () in password validate/confirm endpoints?

Open bctiemann opened this issue 4 years ago • 5 comments

I found that if the user has an (invalid) local Bearer: <hex> cookie that gets sent as a header, the three views can fail authentication and return a 401. Is this intentional? Shouldn't these views have authentication_classes = () so they work even if there's a leftover token in the browser?

There might be a security-related reason for it to be this way but I'm not sure I can think what it is.

bctiemann avatar Aug 30 '19 03:08 bctiemann

yeah. it seems authentication needs to be changed on these views to allow unauthenticated access to the views.

guzzijones avatar Aug 08 '20 21:08 guzzijones

I ended up just inheriting from all the views and adding my own throttling and authentication settings via the authentication_classes and throttling_classes settings

guzzijones avatar Aug 08 '20 23:08 guzzijones

After completing this i suggest the documentation just mention how to inherit from the existing view classes. There are many permission possibilities and throttling possibilities.

guzzijones avatar Aug 09 '20 20:08 guzzijones

Hey @guzzijones , could you show how to inherit from the existing view classes? I have tried to override them in this way:

from rest_framework.permissions import AllowAny
from django_rest_passwordreset.views import (
    ResetPasswordRequestToken,
    ResetPasswordConfirm,
    ResetPasswordValidateToken,
)


class CustomResetPasswordRequestToken(ResetPasswordRequestToken):
    """
    Allow unauthenticated users to request a reset password token by using the email parameter.
    """

    permission_classes = [
        AllowAny,
    ]
    authentication_classes = []


class CustomResetPasswordConfirm(ResetPasswordConfirm):
    """
    Using a valid token, the unauthenticated users password is set to the provided password.
    """

    permission_classes = [
        AllowAny,
    ]
    authentication_classes = []


class CustomResetPasswordValidateToken(ResetPasswordValidateToken):
    """
    Will return a 200 if a given token is valid.
    """

    permission_classes = [
        AllowAny,
    ]
    authentication_classes = []

And adding these views into urls.py:

...
    path(
        "password_reset/",
        CustomResetPasswordRequestToken.as_view(),
        name="password_reset",
    ),
    path(
        "password_reset/confirm/",
        CustomResetPasswordConfirm.as_view(),
        name="password_reset_confirm",
    ),
    path(
        "password_reset/validate_token/",
        CustomResetPasswordValidateToken.as_view(),
        name="password_reset_validate",
    ),
 ...

But I get: django.urls.exceptions.NoReverseMatch: 'password_reset' is not a registered namespace

I agree with you saying that this should be inserted in the documentation.

stackbomb avatar Oct 10 '21 10:10 stackbomb

Hi everyone, I'm facing the same problem. I've created a pull request to solve this issue https://github.com/anexia-it/django-rest-passwordreset/pull/148

nittolese avatar Oct 10 '21 10:10 nittolese