search

anexia-it / django-rest-passwordreset

An extension of django rest framework, providing a configurable password reset strategy
BSD 3-Clause "New" or "Revised" License
419 stars 148 forks source link

authentication_classes = () in password validate/confirm endpoints? #67

Open bctiemann opened 5 years ago

bctiemann commented 5 years ago

I found that if the user has an (invalid) local Bearer: <hex> cookie that gets sent as a header, the three views can fail authentication and return a 401. Is this intentional? Shouldn't these views have authentication_classes = () so they work even if there's a leftover token in the browser?

There might be a security-related reason for it to be this way but I'm not sure I can think what it is.

guzzijones commented 4 years ago

yeah. it seems authentication needs to be changed on these views to allow unauthenticated access to the views.

guzzijones commented 4 years ago

I ended up just inheriting from all the views and adding my own throttling and authentication settings via the authentication_classes and throttling_classes settings

guzzijones commented 4 years ago

After completing this i suggest the documentation just mention how to inherit from the existing view classes. There are many permission possibilities and throttling possibilities.

stackbomb commented 3 years ago

Hey @guzzijones , could you show how to inherit from the existing view classes? I have tried to override them in this way:

from rest_framework.permissions import AllowAny
from django_rest_passwordreset.views import (
    ResetPasswordRequestToken,
    ResetPasswordConfirm,
    ResetPasswordValidateToken,
)

class CustomResetPasswordRequestToken(ResetPasswordRequestToken):
    """
    Allow unauthenticated users to request a reset password token by using the email parameter.
    """

    permission_classes = [
        AllowAny,
    ]
    authentication_classes = []

class CustomResetPasswordConfirm(ResetPasswordConfirm):
    """
    Using a valid token, the unauthenticated users password is set to the provided password.
    """

    permission_classes = [
        AllowAny,
    ]
    authentication_classes = []

class CustomResetPasswordValidateToken(ResetPasswordValidateToken):
    """
    Will return a 200 if a given token is valid.
    """

    permission_classes = [
        AllowAny,
    ]
    authentication_classes = []

And adding these views into urls.py:

...
    path(
        "password_reset/",
        CustomResetPasswordRequestToken.as_view(),
        name="password_reset",
    ),
    path(
        "password_reset/confirm/",
        CustomResetPasswordConfirm.as_view(),
        name="password_reset_confirm",
    ),
    path(
        "password_reset/validate_token/",
        CustomResetPasswordValidateToken.as_view(),
        name="password_reset_validate",
    ),
 ...

But I get: django.urls.exceptions.NoReverseMatch: 'password_reset' is not a registered namespace

I agree with you saying that this should be inserted in the documentation.

nittolese commented 3 years ago

Hi everyone, I'm facing the same problem. I've created a pull request to solve this issue https://github.com/anexia-it/django-rest-passwordreset/pull/148