Password reset confirmation mechanics

apps/account/migrations/0010_user_password_confirmed.py

@@ -0,0 +1,18 @@
+# Generated by Django 2.2.4 on 2019-10-10 17:21
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('account', '0009_user_unconfirmed_email'),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name='user',
+            name='password_confirmed',
+            field=models.BooleanField(default=True, verbose_name='is new password confirmed'),
+        ),
+    ]

apps/account/models.py

@@ -63,6 +63,7 @@ class User(AbstractUser):
     unconfirmed_email = models.EmailField(_('unconfirmed email'), blank=True, null=True, default=None)
     email_confirmed = models.BooleanField(_('email status'), default=False)
     newsletter = models.NullBooleanField(default=True)
+    password_confirmed = models.BooleanField(_('is new password confirmed'), default=True, null=False)
 
     EMAIL_FIELD = 'email'
     USERNAME_FIELD = 'username'
@@ -118,6 +119,10 @@ class User(AbstractUser):
         self.email_confirmed = True
         self.save()
 
+    def confirm_password(self):
+        self.password_confirmed = True
+        self.save()
+
     def approve(self):
         """Set user is_active status to True"""
         self.is_active = True
@@ -152,6 +157,11 @@ class User(AbstractUser):
         """Make a token for finish signup."""
         return password_token_generator.make_token(self)
 
+    @property
+    def confirm_password_token(self):
+        """Make a token for new password confirmation """
+        return GMTokenGenerator(purpose=GMTokenGenerator.CONFIRM_PASSWORD).make_token(self)
+
     @property
     def get_user_uidb64(self):
         """Get base64 value for user by primary key identifier"""
@@ -181,6 +191,16 @@ class User(AbstractUser):
             template_name=settings.RESETTING_TOKEN_TEMPLATE,
             context=context)
 
+    def confirm_password_template(self, country_code):
+        """Get confirm password template"""
+        context = {'token': self.confirm_password_token,
+                   'country_code': country_code}
+        context.update(self.base_template)
+        return render_to_string(
+            template_name=settings.CONFIRM_PASSWORD_TEMPLATE,
+            context=context,
+        )
+
     def confirm_email_template(self, country_code):
         """Get confirm email template"""
         context = {'token': self.confirm_email_token,

apps/account/serializers/web.py

@@ -1,8 +1,10 @@
 """Serializers for account web"""
 from django.contrib.auth import password_validation as password_validators
+from django.conf import settings
 from rest_framework import serializers
 
 from account import models
+from account import tasks
 from utils import exceptions as utils_exceptions
 from utils.methods import username_validator
 
@@ -67,5 +69,16 @@ class PasswordResetConfirmSerializer(serializers.ModelSerializer):
         """Override update method"""
         # Update user password from instance
         instance.set_password(validated_data.get('password'))
+        instance.password_confirmed = False
         instance.save()
+        if settings.USE_CELERY:
+            tasks.send_reset_password_confirm.delay(
+                user_id=instance,
+                country_code=self.context.get('request').country_code,
+            )
+        else:
+            tasks.send_reset_password_confirm(
+                user_id=instance,
+                country_code=self.context.get('request').country_code,
+            )
         return instance

apps/account/tasks.py

@@ -22,6 +22,17 @@ def send_reset_password_email(user_id, country_code):
                      f'DETAIL: Exception occurred for reset password: '
                      f'{user_id}')
 
+@shared_task
+def send_reset_password_confirm(user: models.User, country_code):
+    """ Send email to user for applying new password. """
+    try:
+        user.send_email(subject=_('New password confirmation'),
+                        message=user.confirm_password_template(country_code))
+    except:
+        logger.error(f'METHOD_NAME: {send_reset_password_confirm.__name__}\n'
+                     f'DETAIL: Exception occured for new passwordconfirmation',
+                     f'{user.id}')
+
 
 @shared_task
 def confirm_new_email_address(user_id, country_code):

apps/account/urls/common.py

@@ -8,6 +8,7 @@ app_name = 'account'
 urlpatterns = [
     path('user/', views.UserRetrieveUpdateView.as_view(), name='user-retrieve-update'),
     path('change-password/', views.ChangePasswordView.as_view(), name='change-password'),
+    path('change-password-confirm/<uuid64>/<token>/', views.ConfirmPasswordView.as_view(), name='change-password'),
     path('email/confirm/', views.SendConfirmationEmailView.as_view(), name='send-confirm-email'),
     path('email/confirm/<uidb64>/<token>/', views.ConfirmEmailView.as_view(), name='confirm-email'),
 ]

apps/account/views/common.py

@@ -91,6 +91,32 @@ class ConfirmEmailView(JWTGenericViewMixin):
         else:
             raise utils_exceptions.UserNotFoundError()
 
+class ConfirmPasswordView(JWTGenericViewMixin):
+    """View for applying newly set password"""
+
+    permission_classes = (permissions.AllowAny,)
+
+    def get(self, request, *args, **kwargs):
+        uidb64 = kwargs.get('uidb64')
+        token = kwargs.get('token')
+        uid = force_text(urlsafe_base64_decode(uidb64))
+        user_qs = models.User.objects.filter(pk=uid)
+        if user_qs.exists():
+            user = user_qs.first()
+            if not GMTokenGenerator(GMTokenGenerator.CONFIRM_PASSWORD).check_token(
+                    user, token):
+                raise utils_exceptions.NotValidTokenError()
+            user.confirm_password()
+            tokens = user.create_jwt_tokens()
+            return self._put_cookies_in_response(
+                cookies=self._put_data_in_cookies(
+                    access_token=tokens.get('access_token'),
+                    refresh_token=tokens.get('refresh_token')),
+                response=Response(status=status.HTTP_200_OK))
+        else:
+            raise utils_exceptions.UserNotFoundError()
+
+
 
 # Firebase Cloud Messaging
 class FCMDeviceViewSet(generics.GenericAPIView):

apps/authorization/serializers/common.py

@@ -108,8 +108,8 @@ class LoginByUsernameOrEmailSerializer(SourceSerializerMixin,
         """Override validate method"""
         username_or_email = attrs.pop('username_or_email')
         password = attrs.pop('password')
-        user_qs = account_models.User.objects.filter(Q(username=username_or_email) |
+        user_qs = account_models.User.objects.filter(password_confirmed=True)\
-                                                     Q(email=username_or_email))
+            .filter(Q(username=username_or_email) | Q(email=username_or_email))
         if not user_qs.exists():
             raise utils_exceptions.WrongAuthCredentials()
         else:

apps/utils/models.py

@@ -258,12 +258,14 @@ class GMTokenGenerator(PasswordResetTokenGenerator):
     RESET_PASSWORD = 1
     CHANGE_PASSWORD = 2
     CONFIRM_EMAIL = 3
+    CONFIRM_PASSWORD = 4
 
     TOKEN_CHOICES = (
         CHANGE_EMAIL,
         RESET_PASSWORD,
         CHANGE_PASSWORD,
-        CONFIRM_EMAIL
+        CONFIRM_EMAIL,
+        CONFIRM_PASSWORD,
     )
 
     def __init__(self, purpose: int):
@@ -279,7 +281,8 @@ class GMTokenGenerator(PasswordResetTokenGenerator):
                 self.purpose == self.CONFIRM_EMAIL:
             fields.extend([str(user.email_confirmed), str(user.email)])
         elif self.purpose == self.RESET_PASSWORD or \
-                self.purpose == self.CHANGE_PASSWORD:
+                self.purpose == self.CHANGE_PASSWORD or \
+                    self.purpose == self.CONFIRM_PASSWORD:
             fields.append(str(user.password))
         return fields
 

project/settings/base.py

@@ -405,6 +405,7 @@ PASSWORD_RESET_TIMEOUT_DAYS = 1
 # TEMPLATES
 RESETTING_TOKEN_TEMPLATE = 'account/password_reset_email.html'
 CHANGE_EMAIL_TEMPLATE = 'account/change_email.html'
+CONFIRM_PASSWORD_TEMPLATE = 'account/password_confirm_email.html'
 CONFIRM_EMAIL_TEMPLATE = 'authorization/confirm_email.html'
 NEWS_EMAIL_TEMPLATE = "news/news_email.html"
 

project/templates/account/password_confirm_email.html

@@ -0,0 +1,11 @@
+{% load i18n %}{% autoescape off %}
+{% blocktrans %}Confirm a password reset for your user account at {{ site_name }}.{% endblocktrans %}
+
+{% trans "Please go to the following page:" %}
+
+https://{{ country_code }}.{{ domain_uri }}/confirm-new-password/{{ uidb64 }}/{{ token }}/
+
+{% trans "Thanks for using our site!" %}
+
+{% blocktrans %}The {{ site_name }} team{% endblocktrans %}
+{% endautoescape %}