diff --git a/flashcards/api.py b/flashcards/api.py index f7b3a04..2907f66 100644 --- a/flashcards/api.py +++ b/flashcards/api.py @@ -73,7 +73,7 @@ class UserLogin(APIView): def post(self, request, format=None): """ - Returns user data if valid. + Authenticates and logs in the user and returns their data if valid. """ if 'email' not in request.data: raise ValidationError('Email is required') @@ -93,17 +93,22 @@ class UserLogin(APIView): class UserLogout(APIView): """ - Logs out an authenticated user. + Authenticated user log out. """ def post(self, request, format=None): - logout(request, request.user) + """ + Logs the authenticated user out. + """ + logout(request) return Response(status=status.HTTP_204_NO_CONTENT) class PasswordReset(APIView): """ Allows user to reset their password. + System sends an email to the user's email with a token that may be verified + to reset their password. """ def post(self, request, format=None): @@ -119,6 +124,7 @@ class PasswordReset(APIView): try: user = User.objects.get(email=email) except User.DoesNotExist: + # Don't leak that email does not exist. raise NotFound('Email does not exist') token = default_token_generator.make_token(user) @@ -139,7 +145,7 @@ class PasswordReset(APIView): def patch(self, request, format=None): """ - Updates user's password to new password. + Updates user's password to new password if token is valid. """ if 'new_password' not in request.data: raise ValidationError('New password is required') @@ -148,7 +154,9 @@ class PasswordReset(APIView): user = request.user - user.set_password(request.data['new_password']) - user.save() + # Check token validity. + if default_token_generator.check_token(user, request.data['token']): + user.set_password(request.data['new_password']) + user.save() return Response(status=status.HTTP_204_NO_CONTENT)