Closed Hall-Erik closed 5 years ago
This looks good.
That's what a good PR looks like :)
Anyway, personally I would have gone for a separate endpoint, e.g., /validate_token/
, but sending the token without a password at the same existing endpoint is fine for me too.
I'm going to leave this open for a week or so, as I would like to see some opinions on whether the implemented endpoint logic within this PR is considered as okay or not.
I agree with you about using separate endpoints. That way when the user gets a 200 from /confirm/
, they know it means the password was updated and not just that the token is valid.
closed in favour of #60
This implements #45
If the user sets
DJANGO_REST_PASSWORDRESET_ALLOW_TOKEN_VALIDATION = True
in settings, the password field becomes optional inResetPasswordConfirm
. It will return a 200 if a valid token is provided without a password.If
DJANGO_REST_PASSWORDRESET_ALLOW_TOKEN_VALIDATION
is not set, or is set to False,ResetPasswordConfirm
behaves as it did before - returning a 400 if a password isn't given.I also added a couple of tests for this and updated the README.