I'm using the flask-login library, and I haven't been able to find any good tutorials or documentation on how to go about allowing a user to reset their password through an email. What direction/resources can I look at on how to do this? A thorough google search didn't reveal anything useful.
Base logic:
Create reset password form with email field.
When user submit form then you should:
check this email in database
generate undistinguished crypto random secret key (next just secret key)
store this key, current timestamp and user identifier to cache or database
send it to user email or sms
When user apply secret key (for example with url or special form) you should:
validate it (exist, not expired, not used before)
get user identifier
delete or mark as used current secret key
provide logic to enter/generate new password.
Logic to enter/generate password can be different:
login user and show form to enter new password - one time login key
show form to enter password than login if valid
generate new password and send it to user email
generate new secret key for form to enter new password and send it to user email
generate new secret key to approve form, send it via sms, show form to enter new password and approval secret key then login if valid
flask-login doesn't take care of reset password emails and other such things. Its just there to manage sessions and cookies.
You should use Flask-Security which adds password reset functionality and other common security related features to flask. Flask-Security uses flask-login to handle sessions, but adds other features on top to round out the security features:
Email Confirmation
If desired you can require that new users confirm their email address.
Flask-Security will send an email message to any new users with an
confirmation link. Upon navigating to the confirmation link, the user
will be automatically logged in. There is also view for resending a
confirmation link to a given email if the user happens to try to use
an expired token or has lost the previous email. Confirmation links
can be configured to expire after a specified amount of time.
Password Reset/Recovery
Password reset and recovery is available for when a user forgets his
or her password. Flask-Security sends an email to the user with a link
to a view which they can reset their password. Once the password is
reset they are automatically logged in and can use the new password
from then on. Password reset links can be configured to expire after a
specified amount of time.
User Registration
Flask-Security comes packaged with a basic user registration view.
This view is very simple and new users need only supply an email
address and their password. This view can be overrided[sic] if your
registration process requires more fields.
Flask-Login only provides user session management for Flask. It handles the common tasks of logging in, logging out, and remembering your users’ sessions over extended periods of time. but not reset password, change password, email confirmation etc.
Flask-security was the best and easy option to do these. It pretty much handles everything. but it is not actively maintained.
Note
This project is non maintained anymore. Consider the
Flask-Security-Too project as an alternative. -- From flask-security
Github repo
So i recommend Flask-Security-Too library which is improved version and actively maintained. It also has much more features like 2FA Auth, Unified Sign-In etc
You can install install it using pip
pip install flask-security-too flask-sqlalchemy
and import libraries like
from flask-security import current_user, login_required
There are some complete (but simple) examples available in the examples directory of the Flask-Security repo.
Documentation : https://flask-security-too.readthedocs.io/en/stable/index.html
Related
I need to validate user's email before allowing them to proceed with account creation.
What will be the best way of doing so in Django ?
I was thinking of sending cookies with UUID which will be used during registration.
email_validation_DB:
UUID | Email | Confirmation Code | is_verified
Then, when user will click on register. UUID will be used to get the verified email address from email_validation_DB and proceed with account creation.
Instead of allowing users with only verified emails to proceed, I would suggest that you allow any user to register but activate their account only after they verify their emails.
What you can do is create a hash token and send the email with hash token and a link. When user clicks on the link, you can verify the token and activate the account. Here is a good tutorial about this - https://www.javatpoint.com/django-user-registration-with-email-confirmation
Alternatively, you can use a python package. Here is a good one - https://github.com/LeoneBacciu/django-email-verification. You can also use this package to add additional functionalities around email sending like forgot password etc.
I am doing a web app in Django. I hardly tried to create a TokenGenerator for verifying the user's email to activate the user's account
coming to the problem,
how to send the verification email to the user account while
signup. while signup, users can receive a verification link email
with a token generator
the user has to input the password at the time of account signup
After verifying the email user can log in to the respective page via their mail id and password
while login it should check whether an email is present in the DB
(DB will be updated with user emails )
for the first question, Django has built-in functions and classes for sending emails, you can check them here: https://docs.djangoproject.com/en/3.2/topics/email/ and this post will help you send and email: https://dev.to/yash2115/how-to-send-e-mail-in-django-37ge, and if you want sen an email for any user's sign up you have to use signals, check it here: https://docs.djangoproject.com/en/3.2/ref/signals/
other questions are all related and they are pre-built in Django, these links will help you: https://learndjango.com/tutorials/django-login-and-logout-tutorial
https://developer.mozilla.org/en-US/docs/Learn/Server-side/Django/Authentication
repositories which may help:
https://github.com/shoukreytom/pdfstack
https://github.com/shoukreytom/notes
https://github.com/shoukreytom/blog (advanced - apis)
https://github.com/mitchtabian/Food2Fork
I am implementing Django Password Reset to send a recovery password link when the user type his/her email id using django.contrib.auth.urls, which works as perfectly.
This is from Django Documentation,
If the email address provided does not exist in the system, the user is inactive, or has an unusable password, the user will still be redirected to this view but no email will be sent.
My question is,
If I add something like EmailValidation to check if the user typed email exists in the database or not and raise ValidationError, will that be a security problem?
Obviously, because it will allow a hacker to run brute force to guess emails. And if the password strength of the user is not strong enough, he might use brute force or guesses to forceful login(if there is no other security methods). I would suggest to put a captcha on reset page as well, to prevent the bots in reset password page.
It is necessary when the user register automatically generate him a permanent password, which can be used. Then send it to the address indicated when registering mail
Emailing a user password after initial registration can be done, but by default Drupal makes this process hard since emailing passwords is a poor security practice. Instead Drupal emails a password reset link that allows the user to login and change the password just after registration.
That said, you could override that behavior by creating a custom module that implements hook_entity_presave(), changes the password and triggers an email before the new user entity is saved.
If a user is already logged in and clicks on a password reset link from their email, they automatically get redirected to the logged in area. I want the user to be able to reset their password, logged in or not. How do I prevent the redirect?
What you are trying to do is, use Devise recoverable module to change a logged in user password. This is not what recoverable module was built for.
As per carlosantoniodasilva, a Collaborator of Devise
This feature is for recovering passwords, not for signed in users
change their passwords. If you want that, you can use Registerable
module or handle it by yourself.
Registerable module handles signing up users through a registration process, also allowing them to edit and destroy their account.