Password Reset activation Link

Question

I have 2 views . 1) For user Registration . 2) For Password Reset. Activation Link for both task is generated and send to mail. My activation link for first time registration is working fine . When I create my activation Link for password Reset , It is not get expired after use.

@csrf_protect
def changing_password_confirmation(request, uidb64, token):
    try:
        uid = force_bytes(urlsafe_base64_decode(uidb64))
        user = User.objects.get(pk=uid)
    except(TypeError, ValueError, OverflowError, User.DoesNotExist):
        user = None
    if user is not None and passord_reset_token.check_token(user, token):
        print('user is not None and passord_reset_token.check_token(user, token)')
        if request.method == 'POST':
            password1 = request.POST.get('password1')
            password2 = request.POST.get('password2')
            if password1 == password2:
                user.set_password(password1)
                user.save()
                return render(request=request, template_name='website/password_reset_complete.html')
            else:
                return HttpResponse('<h1>Password doesnt match</h1>')
        return render(request=request, template_name='website/password_reset_confirm.html')
    else:
        print('User', user)
        result = 'Activation link is invalid!'
        return render(request=request, template_name='website/password_reset_confirm.html', context={'result': result})

from django.contrib.auth.tokens import PasswordResetTokenGenerator
from django.utils import six


class TokenGenerator(PasswordResetTokenGenerator):
    def _make_hash_value(self, user, timestamp):
        return (
                six.text_type(user.pk) + six.text_type(timestamp) +
                six.text_type(user.is_active)
        )


class PasswordTokenGenerator(PasswordResetTokenGenerator):
    def _make_hash_value(self, user, timestamp):
        return (
                six.text_type(user.pk) + six.text_type(timestamp) +
                six.text_type(user.is_active)
        )
account_activation_token = TokenGenerator()
passord_reset_token = PasswordTokenGenerator()

Reset Password Template

{% extends "website/header.html" %}

{% block title %}Enter new password{% endblock %}

{% block content %}

{% if validlink %}
<h1>Set a new password!</h1>
<form method="POST">
    {% csrf_token %}
    <div class="form-group">
        Password: <input type="text" class="form-control" name='password1' placeholder="password" value=""/>
    </div>
    <div class="form-group">
        Repeat Password: <input type="text" class="form-control" name='password2' placeholder="confirm" value=""/>
    </div>
    <input type="submit" value="Change my password">
</form>

{% else %}
{{ result }}
{% endif %}

{% endblock %}```

Alasdair Alasdair · Accepted Answer · 2019-11-05T11:18:59

Firstly, Django comes with views to reset passwords. I suggest you use them rather than writing your own.

Your hash only varies with the user's pk and is_active field, and these do not change after the user has reset their password.

    return (
            six.text_type(user.pk) + six.text_type(timestamp) +
            six.text_type(user.is_active)
    )

Django solves the problem by including the user's password and last_login in the hash, so that it changes after the password has been reset.

Password Reset activation Link

1 Answers