This is the forth article in a multipart series on implementing the Django authentication system. I will continue to use the same demo survey application, referred to as Django Survey, to aid in the demonstration of authentication features.

As with the earlier tutorials of this series, I will be focusing on a specific use case common to authentication in a web application. This article features the use of email confirmation for user registration and password resets utilizing emails with token embedded reset links.

Series Contents:

The code for this series can be found on GitHub.

As a means to simplify the demonstration of using emails for registering users and resetting passwords I will be utilizing Google's Gmail because it is freely available and easy to setup. The steps to setup a Gmail account for use from a third party application is as follows.

Now over in the Django project's .env file introduced in part 3 of this series I add two new variables for the username and password I used for signing into Gmail as shown below.

Then at the bottom of the django_survey/settings.py module I use those environment variables for the following email settings as well as change the default PASSWORD_RESET_TIMEOUT_DAYS value of 3 to 2.

Updating the registration process to include a email confirmation for non-social auth users requires a unique token to be generated and only valid for a short period of time (2 days in this example). To generate a token I provide a custom implementation of the django.contrib.auth.tokens.PasswordResetTokenGenerator class provided by Django. By overriding the _make_hash_value method to include user data along with a 2 day expiry window specified in the PASSWORD_RESET_TIMEOUT_DAYS settings value I can be confident in sending an identifyable token to the user to verify their email with.

Inside a new survey/tokens.py module I place the code for the implementation of PasswordResetTokenGenerator like so.

Since I am now validating the authenticity of the newly registering user's email address I need to start collecting it in the registration page and it's form. Doing this is as simple as extending the Django UserCreationForm to include a email field which I place in a new survey/forms.py module.

Then I update the RegisterView view to use this newly created RegistrationForm for collecting user data complete with their email. The post method now generates a token used to confirm the authenticity of the provided email address plus I also invalidate the newly created user by setting the is_valid field to False. By setting the is_valid value to False if a user tries to login the system will raise a Validation error due to the use of the AuthenticationForm and it's clean method during the login processes.

As seen above I now generate a token with the previously described UserTokenGenerator class, convert the user's id to a base64 encoded string representation and, build a confirmation link which gets embedded in a email which is sent to the given email address.

In order to save the email address of newly registering users I need to add the email field to the register.html template which I show in its updated form below.

{{ form.username.errors }}

{{ form.email.errors }}

{{ form.password1.errors }}

{{ form.password2.errors }}

Below you can see the register_email.html template which bears the confirmation url.

Please click this link to confirm your email and complete registering.

{{ confirm_url }}

Next I create a class based view to handle the GET request of the link embedded in the confirmation email. I named this class ConfirmRegistrationView and it takes two url parameters, one for the string encoded user id and another for the token.

This view will decode the user id, look up the user, and validate the token. If validated the user's is_valid is flipped to true otherwise it will display a message that the token is invalid and they should reset their password to generate another confirmation token.

Below is the new ConfirmRegistrationView class.

I now need to add the confirmation url path and map it to this new view class in survey/urls.py like so.

In this section I will demonstrate how to implement a password reset feature that uses an email confirmation token containing link. Luckily Django has provided class based views and forms to make this a super simple process. For example, to implement the password reset view which is shown when a user clicks a forgot password link is as easy as providing a url path to django.contrib.auth.views.PasswordResetView and specifying a view template, a email template, a redirect url, and an instance of the token generator used earlier which I've shown below.

The next step is to add a simple reset password link to the login template which I've again shown below.

{{ message }}

{{ form.username.errors }}

{{ form.password.errors }}

Of course, now I need to provide an implementation inside the survey/reset_password.html to display an email input for the reset link. The template utilizes the django.contrib.auth.forms.PasswordResetForm form class which is the default behavior for posts back to the PasswordResetView view.

{{ form.email.errors }}

The PasswordResetView class generates a token and utilize the specified email template named reset_password_email.html (shown below) to email the user providing the reset link.

Please click the link below to result your password.

Reset password

The url referenced by the view named 'password_reset_confirm' in the above email template can now be added to the survey/urls.py module. To accomplish this I again use another default Django view class of django.contrib.auth.views.PasswordResetConfirmView and override some of the defaults as shown below.

As you can see the PasswordResetConfirmView has been assigned the reset_password_update.html template which displays a set of new password fields similar to the registration template along with the cusom implementation of the tokenizer class defined earlier. Additionally, I have specified that the user should be logged in once the password is successfully updated as well as where to redirect them to based off the LOGIN_REDIRECT_URL specified in the settings.py module. Since this project has multiple authentication backends I must explicitly tell it to use the standard ModelBackend for authentication.

The completed html template for reset_password_update.html is shown below.

{{ form.new_password1.errors }}

{{ form.new_password2.errors }}

thecodinginterface.com earns commision from sales of linked products such as the books above. This enables providing continued free tutorials and content so, thank you for supporting the authors of these resources as well as thecodinginterface.com

In this tutorial I have demonstrated how to implement a registration and password reset workflow that utilizes emails with token embedded confirmation links.  All of these implementations utilize pure Django functionality with the exception of a custom implementation of the PasswordResetTokenGenerator.

Thanks for joining along on this tour of some of the awesome authentication features that can be implemented in the Django web framework using Python.  As always, don't be shy about commenting or critiquing below.

Share with friends and colleagues

[[ likes ]] likes