Commit 6260f1981fa39c4b6fd05de69df104ce5114f16e
1 parent
ef21eb3223
Exists in
master
reset_password send email and verify token works
Showing 1 changed file with 14 additions and 6 deletions Side-by-side Diff
flashcards/api.py
View file @
6260f19
| ... | ... | @@ -73,7 +73,7 @@ |
| 73 | 73 | |
| 74 | 74 | def post(self, request, format=None): |
| 75 | 75 | """ |
| 76 | - Returns user data if valid. | |
| 76 | + Authenticates and logs in the user and returns their data if valid. | |
| 77 | 77 | """ |
| 78 | 78 | if 'email' not in request.data: |
| 79 | 79 | raise ValidationError('Email is required') |
| 80 | 80 | |
| 81 | 81 | |
| ... | ... | @@ -93,17 +93,22 @@ |
| 93 | 93 | |
| 94 | 94 | class UserLogout(APIView): |
| 95 | 95 | """ |
| 96 | - Logs out an authenticated user. | |
| 96 | + Authenticated user log out. | |
| 97 | 97 | """ |
| 98 | 98 | |
| 99 | 99 | def post(self, request, format=None): |
| 100 | - logout(request, request.user) | |
| 100 | + """ | |
| 101 | + Logs the authenticated user out. | |
| 102 | + """ | |
| 103 | + logout(request) | |
| 101 | 104 | return Response(status=status.HTTP_204_NO_CONTENT) |
| 102 | 105 | |
| 103 | 106 | |
| 104 | 107 | class PasswordReset(APIView): |
| 105 | 108 | """ |
| 106 | 109 | Allows user to reset their password. |
| 110 | + System sends an email to the user's email with a token that may be verified | |
| 111 | + to reset their password. | |
| 107 | 112 | """ |
| 108 | 113 | |
| 109 | 114 | def post(self, request, format=None): |
| ... | ... | @@ -119,6 +124,7 @@ |
| 119 | 124 | try: |
| 120 | 125 | user = User.objects.get(email=email) |
| 121 | 126 | except User.DoesNotExist: |
| 127 | + # Don't leak that email does not exist. | |
| 122 | 128 | raise NotFound('Email does not exist') |
| 123 | 129 | |
| 124 | 130 | token = default_token_generator.make_token(user) |
| ... | ... | @@ -139,7 +145,7 @@ |
| 139 | 145 | |
| 140 | 146 | def patch(self, request, format=None): |
| 141 | 147 | """ |
| 142 | - Updates user's password to new password. | |
| 148 | + Updates user's password to new password if token is valid. | |
| 143 | 149 | """ |
| 144 | 150 | if 'new_password' not in request.data: |
| 145 | 151 | raise ValidationError('New password is required') |
| ... | ... | @@ -148,8 +154,10 @@ |
| 148 | 154 | |
| 149 | 155 | user = request.user |
| 150 | 156 | |
| 151 | - user.set_password(request.data['new_password']) | |
| 152 | - user.save() | |
| 157 | + # Check token validity. | |
| 158 | + if default_token_generator.check_token(user, request.data['token']): | |
| 159 | + user.set_password(request.data['new_password']) | |
| 160 | + user.save() | |
| 153 | 161 | |
| 154 | 162 | return Response(status=status.HTTP_204_NO_CONTENT) |