django-rest-auth: What is the email verification for and how can I let the user activate the account correctly?

1
votes

I might misunderstand something. django-rest-auth provides RegisterView and an email is supposed to be sent to the user's email after user sign up. However, I've noticed the user is registered with is_active=True even before the user confirm the email. Then, what is the email verification for? Do I have to override something and create the user with is_active=False when the user register with a site? And if so, how can I achieve it properly? I'm having trouble with it.

Here is what I did.

urls.py

path('api/v1/rest-auth/registration/', include('rest_auth.registration.urls')),

serializers.py

from rest_auth.registration.serializers import RegisterSerializer

class CustomRegistrationSerializer(RegisterSerializer):

    def save(self, request):
        user = super(CustomRegistrationSerializer, self).save(request)
        user.is_active = False
        return user

settings.py

REST_AUTH_REGISTER_SERIALIZERS = {
'REGISTER_SERIALIZER': 'appname.serializers.CustomRegistrationSerializer',
}

and here is an error I encountered.

File "rest_auth/registration/views.py", line 46, in dispatch return super(RegisterView, self).dispatch(*args, **kwargs)

File "/rest_framework/views.py", line 495, in dispatch response = self.handle_exception(exc)

File "rest_framework/views.py", line 455, in handle_exception self.raise_uncaught_exception(exc)

File "rest_framework/views.py", line 492, in dispatch response = handler(request, *args, **kwargs)

File "rest_framework/generics.py", line 192, in post return self.create(request, *args, **kwargs)

File "rest_auth/registration/views.py", line 65, in create user = self.perform_create(serializer)

File "rest_auth/registration/views.py", line 81, in perform_create None)

File "allauth/account/utils.py", line 183, in complete_signup signal_kwargs=signal_kwargs)

File "/allauth/account/utils.py", line 133, in perform_login return adapter.respond_user_inactive(request, user)

File "allauth/account/adapter.py", line 454, in respond_user_inactive reverse('account_inactive'))

File "django/urls/resolvers.py", line 622, in _reverse_with_prefix raise NoReverseMatch(msg) django.urls.exceptions.NoReverseMatch: Reverse for 'account_inactive' not found. 'account_inactive' is not a valid view function or pattern name.

I'd like to hear how people who are using django-rest-auth handle with registration. Anyone have used django-rest-auth and coule give me tips?

2
djangodjango-rest-frameworkdjango-rest-auth

2 Answers

4
votes

is_active is actually not for this purpose. I use it as an admin to deactivate a user when I don't want to delete him. You might want to use ACCOUNT_EMAIL_VERIFICATION = "mandatory" instead:

ACCOUNT_EMAIL_VERIFICATION (=”optional”)

Determines the e-mail verification method during signup – choose one of "mandatory", "optional", or "none". When set to “mandatory” the user is blocked from logging in until the email address is verified. Choose “optional” or “none” to allow logins with an unverified e-mail address. In case of “optional”, the e-mail verification mail is still sent, whereas in case of “none” no e-mail verification mails are sent.

Source: https://django-allauth.readthedocs.io/en/latest/configuration.html

Many websites required a double opt-in to verify the validity of an email address or for legal purposes and you can accomplish this with quoted setting.

Concerning the NoReverseMatch exception, you should be able to solve it with following code (but I think you might not need it when you switch to ACCOUNT_EMAIL_VERIFICATION = "mandatory"):

urlpatterns = [
    ...
    url(r'^accounts/', include('allauth.urls')),
    ...
]

Docs: https://django-allauth.readthedocs.io/en/latest/installation.html

However, you probably don't need this view or want to override it if Django is a backend only. To get an idea how to do that you can look at my gist where I also override the adapter because there is a URL I don't need.

0
votes

django rest auth handles email by using an extra table that have email accounts and a flag if they are verified or not..

It has taken this from django-allauth.