Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

authentication_classes = () in password validate/confirm endpoints? #67

Open
bctiemann opened this issue Aug 30, 2019 · 5 comments
Open

authentication_classes = () in password validate/confirm endpoints? #67

bctiemann opened this issue Aug 30, 2019 · 5 comments

Comments

@bctiemann
Copy link

I found that if the user has an (invalid) local Bearer: <hex> cookie that gets sent as a header, the three views can fail authentication and return a 401. Is this intentional? Shouldn't these views have authentication_classes = () so they work even if there's a leftover token in the browser?

There might be a security-related reason for it to be this way but I'm not sure I can think what it is.
@ghost ghost self-assigned this Feb 7, 2020
@guzzijones
Copy link

yeah. it seems authentication needs to be changed on these views to allow unauthenticated access to the views.

@guzzijones
Copy link

I ended up just inheriting from all the views and adding my own throttling and authentication settings via the authentication_classes and throttling_classes settings

@guzzijones
Copy link

After completing this i suggest the documentation just mention how to inherit from the existing view classes. There are many permission possibilities and throttling possibilities.

@stackbomb
Copy link

stackbomb commented Oct 10, 2021
edited
Loading

Hey @guzzijones , could you show how to inherit from the existing view classes? I have tried to override them in this way:

from rest_framework.permissions import AllowAny
from django_rest_passwordreset.views import (
    ResetPasswordRequestToken,
    ResetPasswordConfirm,
    ResetPasswordValidateToken,
)


class CustomResetPasswordRequestToken(ResetPasswordRequestToken):
    """
    Allow unauthenticated users to request a reset password token by using the email parameter.
    """

    permission_classes = [
        AllowAny,
    ]
    authentication_classes = []


class CustomResetPasswordConfirm(ResetPasswordConfirm):
    """
    Using a valid token, the unauthenticated users password is set to the provided password.
    """

    permission_classes = [
        AllowAny,
    ]
    authentication_classes = []


class CustomResetPasswordValidateToken(ResetPasswordValidateToken):
    """
    Will return a 200 if a given token is valid.
    """

    permission_classes = [
        AllowAny,
    ]
    authentication_classes = []

And adding these views into urls.py:

...
    path(
        "password_reset/",
        CustomResetPasswordRequestToken.as_view(),
        name="password_reset",
    ),
    path(
        "password_reset/confirm/",
        CustomResetPasswordConfirm.as_view(),
        name="password_reset_confirm",
    ),
    path(
        "password_reset/validate_token/",
        CustomResetPasswordValidateToken.as_view(),
        name="password_reset_validate",
    ),
 ...

But I get:
django.urls.exceptions.NoReverseMatch: 'password_reset' is not a registered namespace

I agree with you saying that this should be inserted in the documentation.

@nittolese nittolese mentioned this issue Oct 10, 2021
Merged
@nittolese
Copy link
Contributor

Hi everyone, I'm facing the same problem. I've created a pull request to solve this issue #148

@nezhar nezhar mentioned this issue Oct 12, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@bctiemann @guzzijones @nittolese @stackbomb