UID for password reset incorrectly uses base64 #76
Comments
|
How does this manifest into an actual problem? Like, Is there an exception raised? Or is there a 404? We have tests on password reset and they're all passing. |
|
When a password reset link is request, the UID is encoded into the url as such, by django allauth
Here UID is NDc |
|
The way I understand this question is how to support the following use case, where a website is configured to use Django Allauth for user management and Dj Rest Auth for REST API auth. Password reset flow:
This only works when the password reset link is formatted in a compatible way with Django Allauth. And that would be solved by PR #77 if I'm not mistaken. So, why exactly has this PR been closed, is it not in scope for this project or any other reason? |
|
@squio see this pull request: Tivix/django-rest-auth#643 I had originally closed the PR because it wasn't being merged in. |
|
Hi @iMerica what is the status of this issue and the associated PR? As far as I can tell this does not introduce a hard dependency on Allauth, while still providing compatibility with the password reset scheme when Allauth is available. That is exactly the use case I currently have, so it would be really helpful if this PR got integrated. |
|
That PR has some failing tests. |
|
Hmm @gsheni are you still interested in this PR? Otherwise I'll have a look and see if I can make fixes and maybe extra unit tests |
|
@squio you can go ahead and take over my PR. |
|
So I finally got around it and got it fixed in #266. After closely inspecting the code the fix was not complicated (tests should use the right encoder corresponding to the decoder used in the Serializer class. Also the selection of encoder / decoder is now similar to the other checks where we test if allauth is in installed apps. |
|
Thanks 👍 |
|
@iMerica should this actually be a setting, and not just based on whether (One could also certainly imagine an errant and unused installation of Could this instead be a setting (called something like (The result for us it that we cannot use |
|
Unfortunately the problem persists. Uid is generated by Django related code in Updated tests in #266 assume in |
|
Hmm indeed, this patch didn't solve my real world issue either; now reverted to an intermediate view to catch the difference in encoding. For anyone interested:
https://gist.github.com/squio/28aadec528bea9302c168744fd0af3b6 |
|
@iMerica Would you accept a patch that enforces the Django encoding of the UID instead of only checking for weather or not allauth is installed? |
When a password reset link is request, the UID is encoded into the url as such, by
django allauthSuch that the uid is
7wand the token is1x7-d1a11z1sa1s1a1sThe UID is encoded here, as base36:
https://github.com/pennersr/django-allauth/blob/330bf899dd77046fd0510221f3c12e69eb2bc64d/allauth/account/forms.py#L524
However, when the UID decoded in
django-rest-authas base64https://github.com/jazzband/dj-rest-auth/blob/02c9242e3d069164692ef44a0f15eaca31a41cac/dj_rest_auth/serializers.py#L214
The text was updated successfully, but these errors were encountered: