Merge pull request #8 from devvspaces/2-forget-password-api

devvspaces · web-flow · commit 2393eafbd7c7 · 2023-04-18T13:13:56.000-07:00
Complete and tested the forget password flow
diff --git a/src/account/api/base/serializers.py b/src/account/api/base/serializers.py
@@ -2,6 +2,10 @@
 from django.contrib.auth.password_validation import validate_password
 from rest_framework import serializers
 from django.contrib.auth.models import AbstractBaseUser
+from django.contrib.auth import get_user_model
+from django.utils.encoding import force_str
+from django.utils.http import urlsafe_base64_decode
+from account.api.base.tokens import TokenGenerator
 
 from account.models import Profile, User
 
@@ -66,6 +70,11 @@ def validate(self, attrs):
         return attrs
 
 
+class ForgetPasswordTokenSerializer(serializers.Serializer):
+    token = serializers.CharField(required=True)
+    uidb64 = serializers.CharField(required=True)
+
+
 class ValidateRegistrationOtpSerializer(ValidateOtpSerializer):
     def save(self, **kwargs):
         user: User = self.validated_data['email']
@@ -140,7 +149,29 @@ class ForgetPasswordSerializer(serializers.Serializer):
         write_only=True, required=True, validators=[validate_password])
 
     def validate(self, attrs):
-        # Validate the uidb64 and token
+        """
+        Validate the token and uidb64
+        """
+        uidb64 = attrs['uidb64']
+        token = attrs['token']
+
+        User = get_user_model()
+        user = None
+
+        try:
+            uidb64 = force_str(urlsafe_base64_decode(uidb64))
+            user = User.objects.get(id=uidb64)
+        except (
+            TypeError, ValueError, OverflowError,
+            User.DoesNotExist
+        ):
+            raise serializers.ValidationError('Invalid token')
+
+        generator = TokenGenerator()
+        if not generator.check_token(user, token):
+            raise serializers.ValidationError('Invalid token')
+
+        attrs['user'] = user
         return attrs
 
     def save(self, **kwargs):
diff --git a/src/account/api/base/tokens.py b/src/account/api/base/tokens.py
@@ -0,0 +1,11 @@
+import six
+from django.contrib.auth.tokens import PasswordResetTokenGenerator
+
+
+class TokenGenerator(PasswordResetTokenGenerator):
+    def _make_hash_value(self, user, timestamp):
+        return (
+            six.text_type(user.pk) +
+            six.text_type(timestamp) +
+            six.text_type(user.password)
+        )
diff --git a/src/account/api/base/urls.py b/src/account/api/base/urls.py
@@ -14,11 +14,15 @@
         views.UserRetrieveUpdateAPIView.as_view(),
         name='user_retrieve_update'),
     path(
-        'request-password-reset/',
+        'forget-password/request-reset/',
         views.RequestForgetPasswordView.as_view(),
         name='request_password_reset'),
     path(
-        'password-reset/',
+        'forget-password/validate-otp/',
+        views.ValidateForgetPasswordOtpView.as_view(),
+        name='request_password_reset'),
+    path(
+        'forget-password/reset/',
         views.ForgetPasswordView.as_view(),
         name='password_reset'),
     path('token/user/refresh/',
diff --git a/src/account/api/base/views.py b/src/account/api/base/views.py
@@ -1,10 +1,14 @@
+from base64 import urlsafe_b64encode
 from drf_yasg.utils import swagger_auto_schema
 from rest_framework import generics, status
 from rest_framework.response import Response
 from rest_framework.views import APIView
 from rest_framework_simplejwt.authentication import JWTAuthentication
 from rest_framework_simplejwt.exceptions import InvalidToken, TokenError
 from rest_framework_simplejwt.serializers import TokenRefreshSerializer
+from account.api.base.tokens import TokenGenerator
+from django.utils.encoding import force_bytes
+from django.utils.http import urlsafe_base64_encode
 
 from account.models import User
 from utils.base.general import get_tokens_for_user
@@ -60,28 +64,6 @@ def post(self, request, *args, **kwargs):
         )
 
 
-class ValidateForgetPasswordOtpView(generics.GenericAPIView):
-    """
-    Validate the forget password otp sent to user's email.
-
-    Return a token to be used for resetting password.
-    """
-    permission_classes = []
-    serializer_class = serializers.ValidateRegistrationOtpSerializer
-
-    def post(self, request, *args, **kwargs):
-        serializer = self.serializer_class(data=request.data)
-        serializer.is_valid(raise_exception=True)
-
-        # Create a token for user to reset password
-        # uidb64 and token are used to identify the user
-
-        return Response(
-            data=serializer.data,
-            status=status.HTTP_201_CREATED
-        )
-
-
 class TokenVerifyAPIView(APIView):
     """
     An authentication plugin that checks if a jwt
@@ -170,6 +152,12 @@ def get_queryset(self):
 
 
 class RequestForgetPasswordView(generics.GenericAPIView):
+    """
+    Request a password reset email (otp).
+
+    Otp is sent to user's email.
+    """
+
     serializer_class = serializers.RequestForgetPasswordSerializer
     permission_classes = []
 
@@ -180,7 +168,45 @@ def post(self, request, *args, **kwargs):
         return Response(data=serializer.data)
 
 
+class ValidateForgetPasswordOtpView(generics.GenericAPIView):
+    """
+    Validate the forget password otp sent to user's email.
+
+    Return a token to be used for resetting password.
+    """
+    permission_classes = []
+    serializer_class = serializers.ValidateOtpSerializer
+
+    @swagger_auto_schema(
+        responses={200: serializers.ForgetPasswordTokenSerializer}
+    )
+    def post(self, request, *args, **kwargs):
+        serializer = self.serializer_class(data=request.data)
+        serializer.is_valid(raise_exception=True)
+
+        # Create a token for user to reset password
+        generator = TokenGenerator()
+        user = serializer.validated_data['email']
+        uidb64 = urlsafe_base64_encode(force_bytes(user.pk))
+        token = generator.make_token(user)
+        # uidb64 and token are used to identify the user
+
+        return Response(
+            data={
+                'uidb64': uidb64,
+                'token': token
+            },
+            status=status.HTTP_201_CREATED
+        )
+
+
 class ForgetPasswordView(generics.GenericAPIView):
+    """
+    Reset password using the token received by validating the otp.
+
+    User password will be reset to the new password.
+    Returns a new access and refresh token including user details.
+    """
     serializer_class = serializers.ForgetPasswordSerializer
     permission_classes = []
 
@@ -192,7 +218,7 @@ class ForgetPasswordView(generics.GenericAPIView):
     def post(self, request, *args, **kwargs):
         serializer = self.serializer_class(data=request.data)
         serializer.is_valid(raise_exception=True)
-        user: User = serializer.validated_data.get('user')
+        user = serializer.save()
         user_details = serializers.UserSerializer(user).data
         response_data = {
             'tokens': get_tokens_for_user(user),
