def post(self, request, *args, **kwargs):
serializer = self.serializer_class(data=request.data)
serializer.is_valid(raise_exception=True)
email = serializer.validated_data['email']
# before we continue, delete all existing expired tokens
password_reset_token_validation_time = get_password_reset_token_expiry_time()
# datetime.now minus expiry hours
now_minus_expiry_time = timezone.now() - timedelta(hours=password_reset_token_validation_time)
# delete all tokens where created_at < now - 24 hours
clear_expired(now_minus_expiry_time)
# find a user by email address (case insensitive search)
users = User.objects.filter(**{'{}__iexact'.format(get_password_reset_lookup_field()): email})
active_user_found = False
# iterate over all users and check if there is any user that is active
# also check whether the password can be changed (is useable), as there could be users that are not allowed
# to change their password (e.g., LDAP user)
for user in users:
if user.eligible_for_reset():
active_user_found = True
# No active user found, raise a validation error
# but not if DJANGO_REST_PASSWORDRESET_NO_INFORMATION_LEAKAGE == True
if not active_user_found and not getattr(settings, 'DJANGO_REST_PASSWORDRESET_NO_INFORMATION_LEAKAGE', False):
raise exceptions.ValidationError({
'email': [_(
"There is no active user associated with this e-mail address or the password can not be changed")],
})
# last but not least: iterate over all users that are active and can change their password
# and create a Reset Password Token and send a signal with the created token
for user in users:
if user.eligible_for_reset():
# define the token as none for now
token = None
# check if the user already has a token
if user.password_reset_tokens.all().count() > 0:
# yes, already has a token, re-use this token
token = user.password_reset_tokens.all()[0]
else:
# no token exists, generate a new token
token = ResetPasswordToken.objects.create(
user=user,
user_agent=request.META.get(HTTP_USER_AGENT_HEADER, ''),
ip_address=request.META.get(HTTP_IP_ADDRESS_HEADER, ''),
)
# send a signal that the password token was created
# let whoever receives this signal handle sending the email for the password reset
reset_password_token_created.send(sender=self.__class__, instance=self, reset_password_token=token)
# done
message = get_response_message("PASSWORD_REQUEST_ACCEPT")
return Response({"status_code": 200, "status": "OK", "message": message})
def post(self, request, *args, **kwargs):
serializer = self.serializer_class(data=request.data)
serializer.is_valid(raise_exception=True)
email = serializer.validated_data['email']
# before we continue, delete all existing expired tokens
password_reset_token_validation_time = get_password_reset_token_expiry_time()
# datetime.now minus expiry hours
now_minus_expiry_time = timezone.now() - timedelta(hours=password_reset_token_validation_time)
# delete all tokens where created_at < now - 24 hours
clear_expired(now_minus_expiry_time)
# find a user by email address (case insensitive search)
users = User.objects.filter(email__iexact=email)
active_user_found = False
# iterate over all users and check if there is any user that is active
# also check whether the password can be changed (is useable), as there could be users that are not allowed
# to change their password (e.g., LDAP user)
for user in users:
if user.is_active and user.has_usable_password():
active_user_found = True
# No active user found, raise a validation error
if not active_user_found:
raise exceptions.ValidationError({
'email': [_(
"There is no active user associated with this e-mail address or the password can not be changed")],
})
# last but not least: iterate over all users that are active and can change their password
# and create a Reset Password Token and send a signal with the created token
for user in users:
if user.is_active and user.has_usable_password():
# define the token as none for now
token = None
# check if the user already has a token
if user.password_reset_tokens.all().count() > 0:
# yes, already has a token, re-use this token
token = user.password_reset_tokens.all()[0]
else:
# no token exists, generate a new token
token = ResetPasswordToken.objects.create(
user=user,
user_agent=request.META.get('HTTP_USER_AGENT',
getattr(settings, 'DJANGO_REST_PASSWORDRESET_HTTP_USER_AGENT', '')),
ip_address=request.META.get('REMOTE_ADDR',
getattr(settings, 'DJANGO_REST_PASSWORDRESET_REMOTE_ADDR', ''))
)
# send a signal that the password token was created
# let whoever receives this signal handle sending the email for the password reset
reset_password_token_created.send(sender=self.__class__, instance=self, reset_password_token=token)
# done
return Response({'status': 'OK'})
def clear_expired_tokens():
"""Function used to clear existing and expired tokens."""
password_reset_token_validation_time = (
get_password_reset_token_expiry_time())
# datetime.now minus expiry hours
now_minus_expiry_time = timezone.now() - timedelta(
hours=password_reset_token_validation_time)
# delete all tokens where created_at < now - 24 hours
clear_expired(now_minus_expiry_time)
def post(self, request, *args, **kwargs):
serializer = self.serializer_class(data=request.data)
serializer.is_valid(raise_exception=True)
email = serializer.validated_data['email']
password_reset_token_validation_time = get_password_reset_token_expiry_time()
now_minus_expiry_time = timezone.now(
) - timedelta(hours=password_reset_token_validation_time)
clear_expired(now_minus_expiry_time)
users = User.objects.filter(
**{'{}__iexact'.format(get_password_reset_lookup_field()): email})
active_user_found = False
for user in users:
if user.eligible_for_reset():
active_user_found = True
if not active_user_found and not getattr(settings, 'DJANGO_REST_PASSWORDRESET_NO_INFORMATION_LEAKAGE', False):
raise exceptions.ValidationError({
'email': [_(
"There is no active user associated with this e-mail address or the password can not be changed")],
})
for user in users:
if user.eligible_for_reset():
token = None
if user.password_reset_tokens.all().count() > 0:
token = user.password_reset_tokens.all()[0]
else:
token = ResetPasswordToken.objects.create(
user=user,
user_agent=request.META.get(
HTTP_USER_AGENT_HEADER, ''),
ip_address=request.META.get(
HTTP_IP_ADDRESS_HEADER, ''),
)
reset_password_token_created.send(
sender=self.__class__, instance=self, reset_password_token=token)
return Response({'status': 'OK'})
def post(self, request, *args, **kwargs):
serializer = self.serializer_class(data=request.data)
serializer.is_valid(raise_exception=True)
email = serializer.validated_data['email']
# before we continue, delete all existing expired tokens
password_reset_token_validation_time = get_password_reset_token_expiry_time(
)
# datetime.now minus expiry hours
now_minus_expiry_time = timezone.now() - timedelta(
hours=password_reset_token_validation_time)
# delete all tokens where created_at < now - 24 hours
clear_expired(now_minus_expiry_time)
# find a user by email address (case insensitive search)
users = User.objects.filter(email__iexact=email)
active_user_found = False
# iterate over all users and check if there is any user that is active
# also check whether the password can be changed (is useable), as there could be users that are not allowed
# to change their password (e.g., LDAP user)
for user in users:
if user.is_active and user.has_usable_password():
active_user_found = True
# No active user found, raise a validation error
if not active_user_found:
raise exceptions.ValidationError({
'email': [
_("There is no active user associated with this e-mail address or the password can not be changed"
)
],
})
# last but not least: iterate over all users that are active and can change their password
# and create a Reset Password Token and send a signal with the created token
for user in users:
if user.is_active and user.has_usable_password():
# define the token as none for now
token = None
# check if the user already has a token
if user.password_reset_tokens.all().count() > 0:
# yes, already has a token, re-use this token
token = user.password_reset_tokens.all()[0]
else:
ip = request.META.get('REMOTE_ADDR', None)
# REMOTE_ADDR may be blank if socket server or load balancer are used, causing an exception
# HTTP_X_FORWARDED_FOR as a fallback would be acceptable, since it's for logging purposes
# and not authentication (also hard to spoof if load balancer is configured corrrectly)
if ip is None or ip == b'':
ip = request.META['HTTP_X_FORWARDED_FOR'].split(',')[
0] # grab the first entry
# no token exists, generate a new token
token = ResetPasswordToken.objects.create(
user=user,
user_agent=request.META['HTTP_USER_AGENT'],
ip_address=ip or '127.0.0.1')
# send a signal that the password token was created
# let whoever receives this signal handle sending the email for the password reset
reset_password_token_created.send(sender=self.__class__,
instance=self,
reset_password_token=token)
# done
return Response({'status': 'OK'})
def handle(self, *args, **options):
# datetime.now minus expiry hours
now_minus_expiry_time = timezone.now() - datetime.timedelta(
hours=get_password_reset_token_expiry_time())
clear_expired(now_minus_expiry_time)
