def get_password_reset_url(self, request, user):
temp_key = default_token_generator.make_token(user)
path = reverse(
"account_reset_password_from_key",
kwargs=dict(uidb36=user_pk_to_url_str(user), key=temp_key),
)
return request.build_absolute_uri(path)
def get_serializer_context(self):
user = self.request.user
if not user.pk:
return
uid = user_pk_to_url_str(user)
token = default_token_generator.make_token(user)
password_reset_urls = app_settings.PASSWORD_RESET_URLS
password_reset_url = password_reset_urls.get('default')
domain = get_current_site(self.request).domain
if getattr(self, 'swagger_fake_view', False):
organization_pk, organization_slug = None, None # pragma: no cover
else:
organization_pk = self.organization.pk
organization_slug = self.organization.slug
org_radius_settings = self.organization.radius_settings
if org_radius_settings.password_reset_url:
password_reset_url = org_radius_settings.password_reset_url
else:
password_reset_url = password_reset_urls.get(
str(organization_pk), password_reset_url)
password_reset_url = password_reset_url.format(
organization=organization_slug, uid=uid, token=token, site=domain)
context = {
'request': self.request,
'password_reset_url': password_reset_url
}
return context
def get_password_reset_link(self):
return reverse(
"account_reset_password_from_key",
kwargs={
'uidb36': user_pk_to_url_str(self),
'key': default_token_generator.make_token(self)
},
)
def _generate_uid_and_token(self, user):
result = {}
if 'allauth' in settings.INSTALLED_APPS:
from allauth.account.forms import default_token_generator
from allauth.account.utils import user_pk_to_url_str
result['uid'] = user_pk_to_url_str(user)
else:
from django.utils.encoding import force_bytes
from django.contrib.auth.tokens import default_token_generator
from django.utils.http import urlsafe_base64_encode
result['uid'] = urlsafe_base64_encode(force_bytes(user.pk))
result['token'] = default_token_generator.make_token(user)
return result
def test_password_reset_flow(self):
user = JobSeekerFactory()
# Ask for password reset.
url = reverse("account_reset_password")
response = self.client.get(url)
self.assertEqual(response.status_code, 200)
post_data = {"email": user.email}
response = self.client.post(url, data=post_data)
args = urlencode({"email": user.email})
next_url = reverse("account_reset_password_done")
self.assertRedirects(response, f"{next_url}?{args}")
# Check sent email.
self.assertEqual(len(mail.outbox), 1)
email = mail.outbox[0]
self.assertIn("Réinitialisation de votre mot de passe", email.subject)
self.assertIn(
"Si vous n'avez pas demandé la réinitialisation de votre mot de passe, vous pouvez ignorer ce message",
email.body,
)
self.assertEqual(email.from_email, settings.DEFAULT_FROM_EMAIL)
self.assertEqual(len(email.to), 1)
self.assertEqual(email.to[0], user.email)
# Change forgotten password.
uidb36 = user_pk_to_url_str(user)
key = default_token_generator.make_token(user)
password_change_url = reverse("account_reset_password_from_key",
kwargs={
"uidb36": uidb36,
"key": key
})
response = self.client.get(password_change_url)
password_change_url_with_hidden_key = response.url
post_data = {
"password1": DEFAULT_PASSWORD,
"password2": DEFAULT_PASSWORD
}
response = self.client.post(password_change_url_with_hidden_key,
data=post_data)
self.assertRedirects(response,
reverse("account_reset_password_from_key_done"))
# User can log in with his new password.
self.assertTrue(
self.client.login(username=user.email, password=DEFAULT_PASSWORD))
self.client.logout()
def get_password_reset_url(self):
temp_key = default_token_generator.make_token(self)
path = reverse(
"account_reset_password_from_key",
kwargs=dict(uidb36=user_pk_to_url_str(self), key=temp_key),
)
site = get_current_site(request=None)
domain = site.domain
scheme = "http"
if settings.ADSERVER_HTTPS:
scheme = "https"
return "{scheme}://{domain}{path}".format(scheme=scheme,
domain=domain,
path=path)
def post(self, request, student):
student = get_object_or_404(
Student,
teacher=request.user,
user__username=student,
)
user = student.user
email = user_email(request.user)
if not email:
messages.error(
request,
"Can not send a password reset link since your account ({}) doesn't have an email address associated with it.".format(request.user.username)
)
return redirect('teachers:teacher')
temp_key = default_token_generator.make_token(user)
path = reverse(
'account_reset_password_from_key',
kwargs={'uidb36': user_pk_to_url_str(user), 'key': temp_key},
)
context = {
'current_site': get_current_site(request),
'user': user,
'password_reset_url': build_absolute_uri(request, path),
'request': request,
'username': user_username(user),
'timeout_days': settings.PASSWORD_RESET_TIMEOUT_DAYS,
}
get_adapter(request).send_mail(
'teachers/email/password_reset_key',
email,
context,
)
messages.success(
request,
"Password reset link for user {user} has been sent to your email address ({email})".format(
user=user, email=email)
)
return redirect('teachers:teacher')
def test_api_password_reset(self):
test_user = User.objects.create_user(
username='******', password='******', email='*****@*****.**'
)
self._create_org_user(organization=self.default_org, user=test_user)
mail_count = len(mail.outbox)
reset_payload = {'email': '*****@*****.**'}
# wrong org
password_reset_url = reverse(
'radius:rest_password_reset', args=['wrong-slug-name']
)
response = self.client.post(password_reset_url, data=reset_payload)
self.assertEqual(response.status_code, 404)
password_reset_url = reverse(
'radius:rest_password_reset', args=[self.default_org.slug]
)
# no payload
response = self.client.post(password_reset_url, data={})
self.assertEqual(response.status_code, 400)
# email does not exist in database
reset_payload = {'email': '*****@*****.**'}
response = self.client.post(password_reset_url, data=reset_payload)
self.assertEqual(response.status_code, 404)
# email not registered with org
User.objects.create_user(
username='******', password='******', email='*****@*****.**'
)
reset_payload = {'email': '*****@*****.**'}
response = self.client.post(password_reset_url, data=reset_payload)
self.assertEqual(response.status_code, 400)
# valid payload
reset_payload = {'email': '*****@*****.**'}
response = self.client.post(password_reset_url, data=reset_payload)
self.assertEqual(len(mail.outbox), mail_count + 1)
url_kwargs = {
'uid': user_pk_to_url_str(test_user),
'token': default_token_generator.make_token(test_user),
}
password_confirm_url = reverse(
'radius:rest_password_reset_confirm', args=[self.default_org.slug]
)
# wrong token
data = {
'new_password1': 'test_new_password',
'new_password2': 'test_new_password',
'uid': url_kwargs['uid'],
'token': '-wrong-token-',
}
confirm_response = self.client.post(password_confirm_url, data=data)
self.assertEqual(confirm_response.status_code, 400)
# wrong uid
data = {
'new_password1': 'test_new_password',
'new_password2': 'test_new_password',
'uid': '-wrong-uid-',
'token': url_kwargs['token'],
}
confirm_response = self.client.post(password_confirm_url, data=data)
self.assertEqual(confirm_response.status_code, 404)
# wrong token and uid
data = {
'new_password1': 'test_new_password',
'new_password2': 'test_new_password',
'uid': '-wrong-uid-',
'token': '-wrong-token-',
}
confirm_response = self.client.post(password_confirm_url, data=data)
self.assertEqual(confirm_response.status_code, 404)
# valid payload
data = {
'new_password1': 'test_new_password',
'new_password2': 'test_new_password',
'uid': url_kwargs['uid'],
'token': url_kwargs['token'],
}
confirm_response = self.client.post(password_confirm_url, data=data)
self.assertEqual(confirm_response.status_code, 200)
self.assertIn(
'Password reset e-mail has been sent.', str(response.data['detail'])
)
# user should not be able to login with old password
login_payload = {'username': '******', 'password': '******'}
login_url = reverse('radius:user_auth_token', args=[self.default_org.slug])
login_response = self.client.post(login_url, data=login_payload)
self.assertEqual(login_response.status_code, 400)
# user should be able to login with new password
login_payload = {'username': '******', 'password': '******'}
login_response = self.client.post(login_url, data=login_payload)
self.assertEqual(login_response.status_code, 200)
def test_api_password_reset(self):
test_user = User.objects.create_user(username='******',
password='******',
email='*****@*****.**')
self._create_org_user(organization=self.default_org, user=test_user)
mail_count = len(mail.outbox)
reset_payload = {'email': '*****@*****.**'}
# wrong org
password_reset_url = reverse('radius:rest_password_reset',
args=['wrong-slug-name'])
response = self.client.post(password_reset_url, data=reset_payload)
self.assertEqual(response.status_code, 404)
password_reset_url = reverse('radius:rest_password_reset',
args=[self.default_org.slug])
# no payload
response = self.client.post(password_reset_url, data={})
self.assertEqual(response.status_code, 400)
# email does not exist in database
reset_payload = {'email': '*****@*****.**'}
response = self.client.post(password_reset_url, data=reset_payload)
self.assertEqual(response.status_code, 404)
# email not registered with org
User.objects.create_user(username='******',
password='******',
email='*****@*****.**')
reset_payload = {'email': '*****@*****.**'}
response = self.client.post(password_reset_url, data=reset_payload)
self.assertEqual(response.status_code, 400)
# valid payload
reset_payload = {'email': '*****@*****.**'}
response = self.client.post(password_reset_url, data=reset_payload)
self.assertEqual(len(mail.outbox), mail_count + 1)
email = mail.outbox.pop()
self.assertIn(
"<p> Please click on the button below to open a page where you can",
' '.join(email.alternatives[0][0].split()),
)
self.assertRegex(
''.join(email.alternatives[0][0].splitlines()),
'<a href=".*">.*Reset password.*<\/a>',
)
self.assertNotIn('<img src=""', email.alternatives[0][0])
url_kwargs = {
'uid': user_pk_to_url_str(test_user),
'token': default_token_generator.make_token(test_user),
}
password_confirm_url = reverse('radius:rest_password_reset_confirm',
args=[self.default_org.slug])
# wrong token
data = {
'new_password1': 'test_new_password',
'new_password2': 'test_new_password',
'uid': url_kwargs['uid'],
'token': '-wrong-token-',
}
confirm_response = self.client.post(password_confirm_url, data=data)
self.assertEqual(confirm_response.status_code, 400)
# wrong uid
data = {
'new_password1': 'test_new_password',
'new_password2': 'test_new_password',
'uid': '-wrong-uid-',
'token': url_kwargs['token'],
}
confirm_response = self.client.post(password_confirm_url, data=data)
self.assertEqual(confirm_response.status_code, 404)
# wrong token and uid
data = {
'new_password1': 'test_new_password',
'new_password2': 'test_new_password',
'uid': '-wrong-uid-',
'token': '-wrong-token-',
}
confirm_response = self.client.post(password_confirm_url, data=data)
self.assertEqual(confirm_response.status_code, 404)
# valid payload
data = {
'new_password1': 'test_new_password',
'new_password2': 'test_new_password',
'uid': url_kwargs['uid'],
'token': url_kwargs['token'],
}
confirm_response = self.client.post(password_confirm_url, data=data)
self.assertEqual(confirm_response.status_code, 200)
self.assertIn('Password reset e-mail has been sent.',
str(response.data['detail']))
# user should not be able to login with old password
login_payload = {'username': '******', 'password': '******'}
login_url = reverse('radius:user_auth_token',
args=[self.default_org.slug])
login_response = self.client.post(login_url, data=login_payload)
self.assertEqual(login_response.status_code, 400)
# user should be able to login with new password
login_payload = {
'username': '******',
'password': '******'
}
login_response = self.client.post(login_url, data=login_payload)
self.assertEqual(login_response.status_code, 200)
