New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
UID for password reset incorrectly uses base64 #76
Comments
How does this manifest into an actual problem? Like, Is there an exception raised? Or is there a 404? We have tests on password reset and they're all passing. |
When a password reset link is request, the UID is encoded into the url as such, by django allauth
Here UID is NDc |
The way I understand this question is how to support the following use case, where a website is configured to use Django Allauth for user management and Dj Rest Auth for REST API auth. Password reset flow:
This only works when the password reset link is formatted in a compatible way with Django Allauth. And that would be solved by PR #77 if I'm not mistaken. So, why exactly has this PR been closed, is it not in scope for this project or any other reason? |
@squio see this pull request: Tivix/django-rest-auth#643 I had originally closed the PR because it wasn't being merged in. |
Hi @iMerica what is the status of this issue and the associated PR? As far as I can tell this does not introduce a hard dependency on Allauth, while still providing compatibility with the password reset scheme when Allauth is available. That is exactly the use case I currently have, so it would be really helpful if this PR got integrated. |
That PR has some failing tests. |
Hmm @gsheni are you still interested in this PR? Otherwise I'll have a look and see if I can make fixes and maybe extra unit tests |
@squio you can go ahead and take over my PR. |
So I finally got around it and got it fixed in #266. After closely inspecting the code the fix was not complicated (tests should use the right encoder corresponding to the decoder used in the Serializer class. Also the selection of encoder / decoder is now similar to the other checks where we test if allauth is in installed apps. |
Thanks 👍 |
@iMerica should this actually be a setting, and not just based on whether (One could also certainly imagine an errant and unused installation of Could this instead be a setting (called something like (The result for us it that we cannot use |
Unfortunately the problem persists. Uid is generated by Django related code in Updated tests in #266 assume in |
Hmm indeed, this patch didn't solve my real world issue either; now reverted to an intermediate view to catch the difference in encoding. For anyone interested:
https://gist.github.com/squio/28aadec528bea9302c168744fd0af3b6 |
@iMerica Would you accept a patch that enforces the Django encoding of the UID instead of only checking for weather or not allauth is installed? |
When a password reset link is request, the UID is encoded into the url as such, by
django allauth
Such that the uid is
7w
and the token is1x7-d1a11z1sa1s1a1s
The UID is encoded here, as base36:
https://github.com/pennersr/django-allauth/blob/330bf899dd77046fd0510221f3c12e69eb2bc64d/allauth/account/forms.py#L524
However, when the UID decoded in
django-rest-auth
as base64https://github.com/jazzband/dj-rest-auth/blob/02c9242e3d069164692ef44a0f15eaca31a41cac/dj_rest_auth/serializers.py#L214
The text was updated successfully, but these errors were encountered: