Reset password

API Views

There are two views used in the login workflow:

reset-password

rest_registration.api.views.reset_password(self, request, *args, **kwargs)[source]

Reset password, given the signature and timestamp from the link.

Assuming that the Django REST registration views are served at https://backend-host/api/v1/accounts/ then the send_reset_password_link, reset_password views are served as:

  • https://backend-host/api/v1/accounts/send-reset-password-link/
  • https://backend-host/api/v1/accounts/reset-password/

accordingly.

Verification workflow

Let’s describe it by example. We’re assuming that:

Then the verification workflow looks as follows:

  1. The user who wants to reset his/her password sends AJAX POST request to https://backend-host/api/v1/accounts/send-reset-password-link/ endpoint. Usually this happens via front-end aplication, which could be hosted on https://frontend-host/.

  2. Assuming the registration was correct, The send_reset_password_link endpoint will generate an e-mail which will contain an URL which the user should click to enter new password. the URL would be in a form:

    https://frontend-host/reset-password/?user_id=<user id>&timestamp=<timestamp>&signature=<signature>

    (You can change the way the URL is generated by overriding ‘VERIFICATION_URL_BUILDER’)

  3. The frontend endpoint (which is not provided by Django REST Registration) https://frontend-host/reset-password/ would receive following GET parameters:

    • user_id
    • timestamp
    • signature

    and after obtaining the new password from the user it should perform AJAX request to https://backend-host/api/v1/accounts/reset-password/ via HTTP POST with following JSON payload:

    {
        "password": "<new password>",
        "user_id": "<user id>",
        "timestamp": "<timestamp>",
        "signature": "<signature>"
    }
    

    and then show a message to the user depending on the response from backend server.

Default serializers

DefaultSendResetPasswordLinkSerializer

class rest_registration.api.serializers.DefaultSendResetPasswordLinkSerializer(instance=None, data=<class 'rest_framework.fields.empty'>, **kwargs)[source]

Default serializer used for sending reset password link.

It will use ‘SEND_RESET_PASSWORD_LINK_SERIALIZER_USE_EMAIL’ setting.

get_user_or_none()[source]

Return user if matching given criteria (login fields / e-mail). Return None otherwise.

List of settings

These settings can be used to configure reset password workflow. You should add them as keys (with values) to your settings.REST_REGISTRATION dict.

‘RESET_PASSWORD_FAIL_WHEN_USER_NOT_FOUND’

Default: True

If True, then reveal that the user does not exist while reset password link is being sent by signaling an error.

‘RESET_PASSWORD_VERIFICATION_ENABLED’

Default: True

No description available, please add it here!

‘RESET_PASSWORD_VERIFICATION_PERIOD’

Default: datetime.timedelta(days=1)

No description available, please add it here!

‘RESET_PASSWORD_VERIFICATION_URL’

Default: None

No description available, please add it here!

‘RESET_PASSWORD_VERIFICATION_ONE_TIME_USE’

Default: False

No description available, please add it here!

‘RESET_PASSWORD_VERIFICATION_EMAIL_TEMPLATES’

Default:

{'body': 'rest_registration/reset_password/body.txt',
 'subject': 'rest_registration/reset_password/subject.txt'}

No description available, please add it here!

‘RESET_PASSWORD_SERIALIZER_PASSWORD_CONFIRM’

Default: False

Used by ResetPasswordSerializer. If True, the serializer requires additional field password_confirm which value should be the same as the value of password field.

It may be useful to disable it (this is currently the default) if you perform password confirmation at the frontend level.