Password resetting

src/accounts/api/serializers.py

@@ -1,9 +1,12 @@
+import secrets
+
 from django.conf import settings
 from django.contrib.auth import authenticate
+from django.utils import timezone
 from django_email_verification import sendConfirm
 from rest_framework import serializers
 
-from ..models import Account
+from ..models import Account, PasswordResetRequestModel
 
 
 class PublicAccountDataSerializer(serializers.ModelSerializer):
@@ -81,3 +84,36 @@ def validate(self, data):
                 "Verification token seems invalid or maybe outdated. Try requesting a new one."
             )
         return account
+
+
+class ResetPasswordSerializer(serializers.ModelSerializer):
+    class Meta:
+        model = Account
+        fields = ("password",)
+        extra_kwargs = {"password": {"write_only": True}}
+
+
+class ResetPasswordRequestSerializer(serializers.ModelSerializer):
+    class Meta:
+        model = PasswordResetRequestModel
+        fields = ["email"]
+
+    email = serializers.EmailField()
+
+    def validate(self, data):
+        email = data["email"]
+        account = Account.objects.filter(email=email).first()
+        if account is None:
+            raise serializers.ValidationError("Account with this email doesn't exist.")
+
+        # Create a new instance of PasswordResetRequestModel using the account's verification token
+        token = secrets.token_urlsafe(32)
+        new_model_data = {
+            "token": token,
+            "account": account,
+            "created_at": timezone.now() + timezone.timedelta(minutes=35),
+        }
+        return new_model_data
+
+    def create(self, validated_data):
+        return PasswordResetRequestModel.objects.create(**validated_data)

src/accounts/api/urls.py

@@ -6,7 +6,9 @@
     LoginWithTokenView,
     PublicAccountDataView,
     RegisterAccountView,
+    RequestPasswordResetView,
     RequestVerificationTokenView,
+    ResetPasswordView,
     UpdateAccountView,
     VerifyAccountView,
 )
@@ -32,4 +34,6 @@
         name="request-verification-token",
     ),
     path("verify-account", VerifyAccountView.as_view(), name="verify-account"),
+    path("reset-password/<str:reset_token>", ResetPasswordView.as_view(), name="reset-password-token"),
+    path("reset-password/", RequestPasswordResetView.as_view(), name="reset-password"),
 ]

src/accounts/api/views.py

@@ -1,6 +1,8 @@
 from uuid import uuid4
 
+from central_command import settings
 from django.core.exceptions import ObjectDoesNotExist, PermissionDenied
+from django.core.mail import send_mail
 from knox.models import AuthToken
 from knox.views import LoginView as KnoxLoginView
 from rest_framework import status
@@ -13,8 +15,11 @@
 from ..models import Account
 from .serializers import (
     LoginWithCredentialsSerializer,
+    PasswordResetRequestModel,
     PublicAccountDataSerializer,
     RegisterAccountSerializer,
+    ResetPasswordRequestSerializer,
+    ResetPasswordSerializer,
     UpdateAccountSerializer,
     VerifyAccountSerializer,
 )
@@ -181,3 +186,56 @@ def post(self, request):
         public_data = PublicAccountDataSerializer(account).data
 
         return Response(public_data, status=status.HTTP_200_OK)
+
+
+class ResetPasswordView(GenericAPIView):
+    permission_classes = (AllowAny,)
+    serializer_class = ResetPasswordSerializer
+
+    def post(self, request, reset_token):
+        serializer = self.serializer_class(data=request.data)
+        try:
+            if serializer.is_valid(raise_exception=True):
+                reset_request = PasswordResetRequestModel.objects.get(token=reset_token)
+                if not reset_request.is_token_valid():
+                    return Response({"error": "Invalid link or expired."}, status=status.HTTP_400_BAD_REQUEST)
+                account = reset_request.account
+                account.set_password(serializer.validated_data["password"])
+                account.save()
+                reset_request.delete()
+                return Response(data={"detail": "Changed password succesfully"}, status=status.HTTP_200_OK)
+            else:
+                return Response({"error": "Invalid link or expired."}, status=status.HTTP_400_BAD_REQUEST)
+        except PasswordResetRequestModel.DoesNotExist:
+            return Response({"error": "Invalid link or expired."}, status=status.HTTP_400_BAD_REQUEST)
+        except Exception as e:
+            return Response({"error": str(e)}, status=status.HTTP_500_INTERNAL_SERVER_ERROR)
+
+        return Response({"detail": "Operation Done."}, status=status.HTTP_200_OK)
+
+
+class RequestPasswordResetView(GenericAPIView):
+    permission_classes = (AllowAny,)
+    serializer_class = ResetPasswordRequestSerializer
+
+    def post(self, request):
+        serializer = self.serializer_class(data=request.data)
+        try:
+            serializer.is_valid(raise_exception=True)
+        except Exception:
+            # Don't tell the user about the error, just move on.
+            return Response(data={"detail": "Operation Done."}, status=status.HTTP_200_OK)
+
+        serializer.save()
+        send_mail(
+            "Password Reset Request",
+            "A password reset request has been made for your account.\n"
+            + "Please visit the following link to reset your password: "
+            + settings.APP_URL
+            + serializer.data["token"]
+            + "\n\nIf you have not made this request, please ignore this email. The link will expire within 35 minutes.",
+            settings.EMAIL_FROM_ADDRESS,
+            [serializer.data["account"].email],
+            fail_silently=False,
+        )
+        return Response(data={"detail": "Operation Done."}, status=status.HTTP_200_OK)

src/accounts/migrations/0002_passwordresetrequest.py

@@ -0,0 +1,23 @@
+# Generated by Django 3.2.22 on 2024-01-13 17:03
+
+from django.conf import settings
+from django.db import migrations, models
+import django.db.models.deletion
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('accounts', '0001_initial'),
+    ]
+
+    operations = [
+        migrations.CreateModel(
+            name='PasswordResetRequest',
+            fields=[
+                ('id', models.BigAutoField(auto_created=True, primary_key=True, serialize=False, verbose_name='ID')),
+                ('token', models.UUIDField()),
+                ('account', models.ForeignKey(on_delete=django.db.models.deletion.CASCADE, to=settings.AUTH_USER_MODEL)),
+            ],
+        ),
+    ]

src/accounts/migrations/0003_auto_20240113_1858.py

@@ -0,0 +1,26 @@
+# Generated by Django 3.2.22 on 2024-01-13 18:58
+
+from django.conf import settings
+from django.db import migrations, models
+import django.db.models.deletion
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('accounts', '0002_passwordresetrequest'),
+    ]
+
+    operations = [
+        migrations.CreateModel(
+            name='PasswordResetRequestModel',
+            fields=[
+                ('id', models.BigAutoField(auto_created=True, primary_key=True, serialize=False, verbose_name='ID')),
+                ('token', models.UUIDField()),
+                ('account', models.ForeignKey(on_delete=django.db.models.deletion.CASCADE, to=settings.AUTH_USER_MODEL)),
+            ],
+        ),
+        migrations.DeleteModel(
+            name='PasswordResetRequest',
+        ),
+    ]

src/accounts/migrations/0004_alter_passwordresetrequestmodel_token.py

@@ -0,0 +1,18 @@
+# Generated by Django 3.2.22 on 2024-01-18 20:03
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('accounts', '0003_auto_20240113_1858'),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name='passwordresetrequestmodel',
+            name='token',
+            field=models.TextField(),
+        ),
+    ]

src/accounts/migrations/0005_passwordresetrequestmodel_expiry_datetime.py

@@ -0,0 +1,20 @@
+# Generated by Django 3.2.22 on 2024-01-18 20:40
+
+from django.db import migrations, models
+import django.utils.timezone
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('accounts', '0004_alter_passwordresetrequestmodel_token'),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name='passwordresetrequestmodel',
+            name='expiry_datetime',
+            field=models.DateTimeField(default=django.utils.timezone.now),
+            preserve_default=False,
+        ),
+    ]

src/accounts/migrations/0006_auto_20240118_2053.py

@@ -0,0 +1,24 @@
+# Generated by Django 3.2.22 on 2024-01-18 20:53
+
+from django.db import migrations, models
+import django.utils.timezone
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('accounts', '0005_passwordresetrequestmodel_expiry_datetime'),
+    ]
+
+    operations = [
+        migrations.RemoveField(
+            model_name='passwordresetrequestmodel',
+            name='expiry_datetime',
+        ),
+        migrations.AddField(
+            model_name='passwordresetrequestmodel',
+            name='created_at',
+            field=models.DateTimeField(auto_now_add=True, default=django.utils.timezone.now),
+            preserve_default=False,
+        ),
+    ]

src/accounts/models.py

@@ -1,7 +1,9 @@
+from datetime import timedelta
 from uuid import uuid4
 
 from django.contrib.auth.models import AbstractUser
 from django.db import models
+from django.utils import timezone
 
 from .validators import AccountNameValidator, UsernameValidator
 
@@ -69,3 +71,15 @@ def save(self, *args, **kwargs):
 
     def __str__(self):
         return f"{self.unique_identifier} as {self.username}"
+
+
+class PasswordResetRequestModel(models.Model):
+    token = models.TextField()
+    account = models.ForeignKey(Account, on_delete=models.CASCADE)
+    created_at = models.DateTimeField(auto_now_add=True)
+
+    def __str__(self):
+        return f"{self.token} as {self.account} created at {self.created_at}"
+
+    def is_token_valid(self):
+        return timezone.now() <= timedelta(minutes=60)

src/central_command/settings.py

@@ -123,6 +123,7 @@
 EMAIL_ADDRESS = os.environ.get("EMAIL_HOST_USER")
 EMAIL_FROM_ADDRESS = os.environ.get("EMAIL_HOST_USER")
 EMAIL_PASSWORD = os.environ.get("EMAIL_HOST_PASSWORD")
+EMAIL_PASSWORD_RESET = os.environ.get("WEBSITE_URL", "https://unitystation.org/reset-password/")
 EMAIL_MAIL_SUBJECT = "Confirm your Unitystation account"
 EMAIL_MAIL_HTML = "registration/confirmation_email.html"
 EMAIL_PAGE_TEMPLATE = "confirm_template.html"