我对可用的django中间件感到完全困惑:
我只想通过在后端使用django和rest_auth并在前端使用Vue来运行密码重置(以及以后的密码更改)功能。
到目前为止,我已经做了CustomPasswordResetView:
# project/accounts/views.py
from rest_auth.views import PasswordResetView
class CustomPasswordResetView(PasswordResetView):
pass
和一个CustomPasswordResetSerializer:
# project/accounts/serializers.py
from rest_auth.serializers import PasswordResetSerializer
class CustomPasswordResetSerializer(PasswordResetSerializer):
email = serializers.EmailField()
password_reset_form_class = ResetPasswordForm
def validate_email(self, value):
# Create PasswordResetForm with the serializer
self.reset_form = self.password_reset_form_class(data=self.initial_data)
if not self.reset_form.is_valid():
raise serializers.ValidationError(self.reset_form.errors)
###### FILTER YOUR USER MODEL ######
if not get_user_model().objects.filter(email=value).exists():
raise serializers.ValidationError(_('Invalid e-mail address'))
return value
def save(self):
request = self.context.get('request')
# Set some values to trigger the send_email method.
opts = {
'use_https': request.is_secure(),
'from_email': getattr(settings, 'DEFAULT_FROM_EMAIL'),
'request': request,
}
opts.update(self.get_email_options())
self.reset_form.save(**opts)
在settings.py中,我拥有以下字段,这些字段似乎与我的问题有关:
# project/vuedj/settings.py
REST_AUTH_SERIALIZERS = {
"USER_DETAILS_SERIALIZER": "accounts.serializers.CustomUserDetailsSerializer",
"LOGIN_SERIALIZER": "accounts.serializers.CustomUserLoginSerializer",
"PASSWORD_RESET_SERIALIZER": "accounts.serializers.CustomPasswordResetSerializer"
}
(完整的settings.py附在底部)
我的网址已经捕获了我的API请求,以便发送密码重置电子邮件:
# project/vuedj/urls.py
urlpatterns = [
path('admin/', admin.site.urls),
path('api/v1/', include('api.urls')),
path('accounts/', include('allauth.urls')),
path('', api_views.index, name='home')
]
# project/api/urls.py
urlpatterns = [
path('auth/', include('accounts.urls')),
# other paths...
]
# project/accounts/urls.py
urlpatterns = [
path('', acc_views.UserListView.as_view(), name='user-list'),
path('login/', acc_views.UserLoginView.as_view(), name='login'),
path('logout/', acc_views.UserLogoutView.as_view(), name='logout'),
path('register/', acc_views.CustomRegisterView.as_view(), name='register'),
path('reset-password/', acc_views.CustomPasswordResetView.as_view(), name='reset-password'),
path('reset-password-confirm/', acc_views.CustomPasswordResetConfirmView.as_view(), name='reset-password-confirm'),
path('<int:pk>/', acc_views.UserDetailView.as_view(), name='user-detail')
]
CustomPasswordReset视图最终将生成带有精美的pw-reset链接的精美电子邮件。该链接有效,当我单击它时,我可以通过allauth模板完美地重置密码。
rest-auth(间接)使用此代码生成重置令牌:
# project/.venv/Lib/site-packages/allauth/account/forms.py
def save(self, request, **kwargs):
current_site = get_current_site(request)
email = self.cleaned_data["email"]
token_generator = kwargs.get("token_generator",
default_token_generator)
for user in self.users:
temp_key = token_generator.make_token(user)
# save it to the password reset model
# password_reset = PasswordReset(user=user, temp_key=temp_key)
# password_reset.save()
# send the password reset email
path = reverse("account_reset_password_from_key",
kwargs=dict(uidb36=user_pk_to_url_str(user),
key=temp_key))
url = build_absolute_uri(
request, path)
context = {"current_site": current_site,
"user": user,
"password_reset_url": url,
"request": request}
if app_settings.AUTHENTICATION_METHOD \
!= AuthenticationMethod.EMAIL:
context['username'] = user_username(user)
get_adapter(request).send_mail(
'account/email/password_reset_key',
email,
context)
return self.cleaned_data["email"]
上面的代码中使用了PasswordResetTokenGenerator:
# project/.venv/Lib/site-packages/django/contrib/auth/tokens.py
class PasswordResetTokenGenerator:
"""
Strategy object used to generate and check tokens for the password
reset mechanism.
"""
key_salt = "django.contrib.auth.tokens.PasswordResetTokenGenerator"
secret = settings.SECRET_KEY
def make_token(self, user):
"""
Return a token that can be used once to do a password reset
for the given user.
"""
return self._make_token_with_timestamp(user, self._num_days(self._today()))
def check_token(self, user, token):
"""
Check that a password reset token is correct for a given user.
"""
if not (user and token):
return False
# Parse the token
try:
ts_b36, hash = token.split("-")
except ValueError:
return False
try:
ts = base36_to_int(ts_b36)
except ValueError:
return False
# Check that the timestamp/uid has not been tampered with
if not constant_time_compare(self._make_token_with_timestamp(user, ts), token):
return False
# Check the timestamp is within limit. Timestamps are rounded to
# midnight (server time) providing a resolution of only 1 day. If a
# link is generated 5 minutes before midnight and used 6 minutes later,
# that counts as 1 day. Therefore, PASSWORD_RESET_TIMEOUT_DAYS = 1 means
# "at least 1 day, could be up to 2."
if (self._num_days(self._today()) - ts) > settings.PASSWORD_RESET_TIMEOUT_DAYS:
return False
return True
上面的类将由rest_auth PasswordResetView调用:
# project/.venv/Lib/site-packages/rest_auth/views.py
class PasswordResetView(GenericAPIView):
"""
Calls Django Auth PasswordResetForm save method.
Accepts the following POST parameters: email
Returns the success/fail message.
"""
serializer_class = PasswordResetSerializer
permission_classes = (AllowAny,)
def post(self, request, *args, **kwargs):
# Create a serializer with request.data
serializer = self.get_serializer(data=request.data)
serializer.is_valid(raise_exception=True)
serializer.save() # <----- Code from above (TokenGenerator) will be called inside this .save() method
# Return the success message with OK HTTP status
return Response(
{"detail": _("Password reset e-mail has been sent.")},
status=status.HTTP_200_OK
)
如您所见,令牌生成器将返回带有令牌的uidb36。
当用户确认密码重置时,它也假设uidb36。
生成的令牌(例如,生成的邮件中的完整链接)如下所示:
http://localhost:8000/accounts/password/reset/key/16-52h-42b222e6dc30690b2e91/
16 是基数36(uidb36)中的用户ID,但我尚不知道52h是什么意思,但我想令牌的一部分是令牌本身(42b222e6dc30690b2e91)
我被困在这里。 API-Endpoints中的Rest-Auth-Framework说:
/ rest-auth / password / reset / confirm /(POST)
uid
token
new_password1
new_password2
当我发送对象时,例如:
{
uid: '16', // TODO maybe I have to convert it to base10...
token: '42b222e6dc30690b2e91',
new_password1: 'test123A$',
new_password2: 'test123A$'
}
通过我的api将http://localhost:8000/api/v1/auth/reset-password/正文中的上方对象与axios一起使用,我的CustomPasswordResetConfirmView像预期的那样被触发,它也只是{{ 1 {}中的1}},因此将执行以下代码:
PasswordResetConfirmView第rest_auth行将调用# project/.venv/Lib/site-packages/rest_auth/views.py
class PasswordResetConfirmView(GenericAPIView):
"""
Password reset e-mail link is confirmed, therefore
this resets the user's password.
Accepts the following POST parameters: token, uid,
new_password1, new_password2
Returns the success/fail message.
"""
serializer_class = PasswordResetConfirmSerializer
permission_classes = (AllowAny,)
@sensitive_post_parameters_m
def dispatch(self, *args, **kwargs):
return super(PasswordResetConfirmView, self).dispatch(*args, **kwargs)
def post(self, request, *args, **kwargs):
serializer = self.get_serializer(data=request.data)
serializer.is_valid(raise_exception=True)
serializer.save()
return Response(
{"detail": _("Password has been reset with the new password.")}
)
中serializer.is_valid(raise_exception=True)中的run_validation。
这将进一步使用Serializer(BaseSerializer)中的rest_framework:
PasswordResetConfirmSerializer并且您最终可以看到,该类期望用户标识使用uidb64而不是uidb36,而且我什至都不希望令牌格式是否与此处期望的匹配。
我真的找不到很好的文档来说明如何正确设置rest_auth来完成整个密码重置过程:我的电子邮件可以正常工作,但是对我来说# project/.venv/Lib/site-packages/rest_auth/serializers.py
class PasswordResetConfirmSerializer(serializers.Serializer):
"""
Serializer for requesting a password reset e-mail.
"""
new_password1 = serializers.CharField(max_length=128)
new_password2 = serializers.CharField(max_length=128)
uid = serializers.CharField()
token = serializers.CharField()
set_password_form_class = SetPasswordForm
def custom_validation(self, attrs):
pass
def validate(self, attrs):
self._errors = {}
# Decode the uidb64 to uid to get User object
try:
uid = force_text(uid_decoder(attrs['uid']))
self.user = UserModel._default_manager.get(pk=uid)
except (TypeError, ValueError, OverflowError, UserModel.DoesNotExist):
raise ValidationError({'uid': ['Invalid value']})
self.custom_validation(attrs)
# Construct SetPasswordForm instance
self.set_password_form = self.set_password_form_class(
user=self.user, data=attrs
)
if not self.set_password_form.is_valid():
raise serializers.ValidationError(self.set_password_form.errors)
if not default_token_generator.check_token(self.user, attrs['token']):
raise ValidationError({'token': ['Invalid value']})
return attrs
似乎会生成错误的令牌/重置链接,了解用户实际期望返回的内容。
我相信,密码重置确认过程以正确的后端代码结束,而电子邮件/令牌生成过程却一团糟。
我只想获取一个 uid 和一个令牌,我可以将其发送回django rest-auth,以便用户重置密码。 当前,似乎这些uid和令牌是由一个库创建的,而又由另一个库使用的,这两个库都期望并创建不同格式的Token和uid?
谢谢!
rest_auth 这是我的完整rest_auth:
settings.py答案 0 :(得分:2)
幸运的是,我发现了一个不错的图书馆,这使我今天的生活如此轻松:
https://github.com/anx-ckreuzberger/django-rest-passwordreset
pip install django-rest-passwordreset
让它像这样工作:
我的 accounts/urls.py 现在具有以下路径:
# project/accounts/urls.py
from django.urls import path, include
from . import views as acc_views
app_name = 'accounts'
urlpatterns = [
path('', acc_views.UserListView.as_view(), name='user-list'),
path('login/', acc_views.UserLoginView.as_view(), name='login'),
path('logout/', acc_views.UserLogoutView.as_view(), name='logout'),
path('register/', acc_views.CustomRegisterView.as_view(), name='register'),
# NEW: custom verify-token view which is not included in django-rest-passwordreset
path('reset-password/verify-token/', acc_views.CustomPasswordTokenVerificationView.as_view(), name='password_reset_verify_token'),
# NEW: The django-rest-passwordreset urls to request a token and confirm pw-reset
path('reset-password/', include('django_rest_passwordreset.urls', namespace='password_reset')),
path('<int:pk>/', acc_views.UserDetailView.as_view(), name='user-detail')
]
然后,我还为我的CustomTokenVerification添加了一些TokenSerializer:
# project/accounts/serializers.py
from rest_framework import serializers
class CustomTokenSerializer(serializers.Serializer):
token = serializers.CharField()
然后,我在以前派生的 CustomPasswordResetView 中添加了信号接收器,现在不再从rest_auth.views.PasswordResetView派生了信号接收器 AND ,并添加了一个新视图 CustomPasswordTokenVerificationView :
# project/accounts/views.py
from django.dispatch import receiver
from django_rest_passwordreset.signals import reset_password_token_created
from django.core.mail import EmailMultiAlternatives
from django.template.loader import render_to_string
from vuedj.constants import site_url, site_full_name, site_shortcut_name
from rest_framework.views import APIView
from rest_framework import parsers, renderers, status
from rest_framework.response import Response
from .serializers import CustomTokenSerializer
from django_rest_passwordreset.models import ResetPasswordToken
from django_rest_passwordreset.views import get_password_reset_token_expiry_time
from django.utils import timezone
from datetime import timedelta
class CustomPasswordResetView:
@receiver(reset_password_token_created)
def password_reset_token_created(sender, reset_password_token, *args, **kwargs):
"""
Handles password reset tokens
When a token is created, an e-mail needs to be sent to the user
"""
# send an e-mail to the user
context = {
'current_user': reset_password_token.user,
'username': reset_password_token.user.username,
'email': reset_password_token.user.email,
'reset_password_url': "{}/password-reset/{}".format(site_url, reset_password_token.key),
'site_name': site_shortcut_name,
'site_domain': site_url
}
# render email text
email_html_message = render_to_string('email/user_reset_password.html', context)
email_plaintext_message = render_to_string('email/user_reset_password.txt', context)
msg = EmailMultiAlternatives(
# title:
"Password Reset for {}".format(site_full_name),
# message:
email_plaintext_message,
# from:
"noreply@{}".format(site_url),
# to:
[reset_password_token.user.email]
)
msg.attach_alternative(email_html_message, "text/html")
msg.send()
class CustomPasswordTokenVerificationView(APIView):
"""
An Api View which provides a method to verifiy that a given pw-reset token is valid before actually confirming the
reset.
"""
throttle_classes = ()
permission_classes = ()
parser_classes = (parsers.FormParser, parsers.MultiPartParser, parsers.JSONParser,)
renderer_classes = (renderers.JSONRenderer,)
serializer_class = CustomTokenSerializer
def post(self, request, *args, **kwargs):
serializer = self.serializer_class(data=request.data)
serializer.is_valid(raise_exception=True)
token = serializer.validated_data['token']
# get token validation time
password_reset_token_validation_time = get_password_reset_token_expiry_time()
# find token
reset_password_token = ResetPasswordToken.objects.filter(key=token).first()
if reset_password_token is None:
return Response({'status': 'invalid'}, status=status.HTTP_404_NOT_FOUND)
# check expiry date
expiry_date = reset_password_token.created_at + timedelta(hours=password_reset_token_validation_time)
if timezone.now() > expiry_date:
# delete expired token
reset_password_token.delete()
return Response({'status': 'expired'}, status=status.HTTP_404_NOT_FOUND)
# check if user has password to change
if not reset_password_token.user.has_usable_password():
return Response({'status': 'irrelevant'})
return Response({'status': 'OK'})
现在我的前端将提供一个请求pw-reset链接的选项,因此前端将向django发送发布请求,如下所示:
// urls.js
const SERVER_URL = 'http://localhost:8000/' // FIXME: change at production (https and correct IP and port)
const API_URL = 'api/v1/'
const API_AUTH = 'auth/'
API_AUTH_PASSWORD_RESET = API_AUTH + 'reset-password/'
// api.js
import axios from 'axios'
import urls from './urls'
axios.defaults.baseURL = urls.SERVER_URL + urls.API_URL
axios.defaults.headers.post['Content-Type'] = 'application/json'
axios.defaults.xsrfHeaderName = 'X-CSRFToken'
axios.defaults.xsrfCookieName = 'csrftoken'
const api = {
get,
post,
patch,
put,
head,
delete: _delete
}
function post (url, request) {
return axios.post(url, request)
.then((response) => Promise.resolve(response))
.catch((error) => Promise.reject(error))
}
// user.service.js
import api from '@/_api/api'
import urls from '@/_api/urls'
api.post(`${urls.API_AUTH_PASSWORD_RESET}`, email)
.then( /* handle success */ )
.catch( /* handle error */ )
创建的电子邮件将包含这样的链接:
Click the link below to reset your password.
localhost:8000/password-reset/4873759c229f17a94546a63eb7c3d482e73983495fa40c7ec2a3d9ca1adcf017
... django-urls中未有意定义的! Django将让每个未知网址通过,而vue路由器将决定该网址是否有意义。 然后,我让前端发送令牌以查看其是否有效,以便用户可以查看该令牌是否已被使用,过期或其他任何原因。
// urls.js
const API_AUTH_PASSWORD_RESET_VERIFY_TOKEN = API_AUTH + 'reset-password/verify-token/'
// users.service.js
api.post(`${urls.API_AUTH_PASSWORD_RESET_VERIFY_TOKEN}`, pwResetToken)
.then( /* handle success */ )
.catch( /* handle error */ )
现在,用户将通过Vue或密码输入字段收到一条错误消息,他们最终可以在其中重置密码,该密码将由前端发送,如下所示:
// urls.js
const API_AUTH_PASSWORD_RESET_CONFIRM = API_AUTH + 'reset-password/confirm/'
// users.service.js
api.post(`${urls.API_AUTH_PASSWORD_RESET_CONFIRM}`, {
token: state[token], // (vuex state)
password: state[password] // (vuex state)
})
.then( /* handle success */ )
.catch( /* handle error */ )
这是主要代码。我使用自定义Vue路由将Django其余端点与前端可见路由解耦。其余的工作通过api请求并处理它们的响应来完成。
希望这对将来像我这样的人有帮助。
答案 1 :(得分:0)
我们有相同的设置,我可以告诉您它可以工作,但是除了Django documentation都说它是基于64的基础之外,我不能为您提供帮助!
但是,您已经写到这个理论部分对您而言并不那么重要,让我们找到您缺少的地方。设置有些混乱,因为您不需要allauth的所有内容。我不明白你到底在哪里。因此,我想告诉你我是怎么做到的:
我仅在创建电子邮件中的链接时为Django / allauth定义了密码重置URL:
from django.views.generic import TemplateView
PASSWORD_RESET = (
r'^auth/password-reset-confirmation/'
r'(?P<uidb64>[0-9A-Za-z_\-]+)/'
r'(?P<token>[0-9A-Za-z]{1,13}-[0-9A-Za-z]{1,20})$'
)
urlpatterns += [
re_path(
PASSWORD_RESET,
TemplateView.as_view(),
name='password_reset_confirm',
),
]
您不必这样做(因为您include('allauth.urls'),实际上是don't need these URLs),但我想指出的是,此URL并不指向后端!就是说,让您的前端将此URL提供给表单以输入新密码,然后使用axios或其他方式POST uid,token,new_password1和{{1 }}到您的端点。
在您的情况下,端点是
new_password2这对您有帮助吗?否则,请让我知道。