Django REST Password Reset

Common errors

• ModuleNotFoundError: No module named 'django_rest_passwordreset'

  cause The 'django_rest_passwordreset' app is not added to your Django project's INSTALLED_APPS.
  fix Add 'django_rest_passwordreset' to the `INSTALLED_APPS` list in your `settings.py` file.

• NoReverseMatch at /api/password_reset/confirm/ Reverse for 'password_reset:reset-password-confirm' not found. 'password_reset' is not a registered namespace.

  cause The django-rest-passwordreset URLs are not included in your project's `urls.py` or are included with an incorrect namespace.
  fix Ensure your project's main `urls.py` includes `path('api/password_reset/', include('django_rest_passwordreset.urls', namespace='password_reset'))` and that the namespace matches 'password_reset'.

• User is not receiving password reset emails.

  cause The signal receiver for `reset_password_token_created` has not been implemented or is not correctly registered, meaning the email sending logic is missing.
  fix Implement a Python function that uses `@receiver(reset_password_token_created)` to listen for the signal and send the password reset email. This function should contain your email sending logic. Refer to the quickstart example and ensure your `EMAIL_BACKEND` is configured in `settings.py`.

Warnings

• breaking Version 1.2.0 introduced significant breaking changes by dropping support for Python 2.7, Python 3.4, Django < 2.2, and Django REST Framework < 3.10. Ensure your project meets these minimum requirements.
  Fix: Upgrade your Python, Django, and Django REST Framework versions to meet or exceed the requirements: Python >= 3.6, Django >= 2.2, DRF >= 3.10. Then upgrade django-rest-passwordreset.
• gotcha The library does not send password reset emails by default. You MUST implement a signal receiver for `reset_password_token_created` to handle email sending.
  Fix: Create a `signals.py` file in one of your Django apps (or similar location) and register a function to listen for the `reset_password_token_created` signal. This function will be responsible for composing and sending the email with the reset token. Refer to the quickstart example.
• gotcha By default, requests to the password reset endpoint with an unknown email address will still return a 200 OK response to prevent information leakage (i.e., revealing valid user emails).
  Fix: If you require a different behavior (e.g., returning a 400 or 404 for non-existent emails), you can configure this in your Django settings using `DJANGO_REST_PASSWORDRESET_ANONYMOUS_VIEWS_RETURN_200_FOR_INVALID_USER_EMAIL = False`. Be aware of the security implications.
• gotcha Projects using UUIDs as the primary key for their User model might encounter issues in versions prior to 1.5.0.
  Fix: Upgrade to version 1.5.0 or later, which includes specific test cases and fixes to ensure compatibility with UUID primary keys for the User model.

Install

• pip install django-rest-passwordreset Install stable version

Imports

• INSTALLED_APPS

  'django_rest_passwordreset'

  Required in Django settings.py for app discovery.
• urls

  from django.urls import path, include
  
  urlpatterns = [
      path('api/password_reset/', include('django_rest_passwordreset.urls', namespace='password_reset')),
  ]

  Must be included in your project's main urls.py to expose the API endpoints.
• reset_password_token_created signal

  from django_rest_passwordreset.signals import reset_password_token_created
  from django.dispatch import receiver

  Used to send the password reset email; requires a custom receiver function.

Quickstart

To set up django-rest-passwordreset, you need to add it to your `INSTALLED_APPS`, include its URLs in your project's `urls.py`, and crucially, implement a receiver function for the `reset_password_token_created` signal to send the password reset email. Without this signal handler, no emails will be sent, and users won't receive their reset links. Replace the example URL and email content with your actual frontend reset page URL and email templates.

# settings.py
INSTALLED_APPS = [
    # ...
    'rest_framework',
    'django_rest_passwordreset',
]

# urls.py
from django.urls import path, include
from django.dispatch import receiver
from django.template.loader import render_to_string
from django.core.mail import EmailMultiAlternatives
from django_rest_passwordreset.signals import reset_password_token_created

urlpatterns = [
    # ...
    path('api/password_reset/', include('django_rest_passwordreset.urls', namespace='password_reset')),
]

# signals.py (or anywhere appropriate in your app)
@receiver(reset_password_token_created)
def password_reset_token_created(sender, instance, reset_password_token, *args, **kwargs):
    """ 
    Handles password reset tokens
    When a token is created, an e-mail needs to be sent to the user
    """
    # Example: Render HTML email content and send
    context = {
        'current_user': reset_password_token.user,
        'username': reset_password_token.user.username,
        'email': reset_password_token.user.email,
        'reset_password_url': "{}?token={}".format(
            instance.request.build_absolute_uri('/reset-password/confirm/'),
            reset_password_token.key
        )
    }

    # In a real app, you'd render a proper template
    email_html_message = render_to_string('email/user_reset_password.html', context)
    email_plaintext_message = render_to_string('email/user_reset_password.txt', context)

    msg = EmailMultiAlternatives(
        # title:
        f"Password Reset for {reset_password_token.user.username}",
        # message:
        email_plaintext_message,
        # from:
        os.environ.get('DEFAULT_FROM_EMAIL', 'noreply@example.com'), 
        # to:
        [reset_password_token.user.email]
    )
    msg.attach_alternative(email_html_message, "text/html")
    msg.send()

# Example template content for 'email/user_reset_password.html' and '.txt' would be required.
# For running this quickstart example, ensure you have an SMTP server configured for Django.