import warnings from urllib.parse import urlparse, urlunparse from django.conf import settings # Avoid shadowing the login() and logout() views below. from django.contrib.auth import REDIRECT_FIELD_NAME, get_user_model from django.contrib.auth import login as auth_login from django.contrib.auth import logout as auth_logout from django.contrib.auth import update_session_auth_hash from django.contrib.auth.decorators import login_required from django.contrib.auth.forms import ( AuthenticationForm, PasswordChangeForm, PasswordResetForm, SetPasswordForm, ) from django.contrib.auth.tokens import default_token_generator from django.contrib.sites.shortcuts import get_current_site from django.core.exceptions import ImproperlyConfigured, ValidationError from django.http import HttpResponseRedirect, QueryDict from django.shortcuts import resolve_url from django.urls import reverse_lazy from django.utils.decorators import method_decorator from django.utils.deprecation import RemovedInDjango50Warning from django.utils.http import url_has_allowed_host_and_scheme, urlsafe_base64_decode from django.utils.translation import gettext_lazy as _ from django.views.decorators.cache import never_cache from django.views.decorators.csrf import csrf_protect from django.views.decorators.debug import sensitive_post_parameters from django.views.generic.base import TemplateView from django.views.generic.edit import FormView UserModel = get_user_model() class RedirectURLMixin: next_page = None redirect_field_name = REDIRECT_FIELD_NAME success_url_allowed_hosts = set() def get_success_url(self): return self.get_redirect_url() or self.get_default_redirect_url() def get_redirect_url(self): """Return the user-originating redirect URL if it's safe.""" redirect_to = self.request.POST.get( self.redirect_field_name, self.request.GET.get(self.redirect_field_name) ) url_is_safe = url_has_allowed_host_and_scheme( url=redirect_to, allowed_hosts=self.get_success_url_allowed_hosts(), require_https=self.request.is_secure(), ) return redirect_to if url_is_safe else "" def get_success_url_allowed_hosts(self): return {self.request.get_host(), *self.success_url_allowed_hosts} def get_default_redirect_url(self): """Return the default redirect URL.""" if self.next_page: return resolve_url(self.next_page) raise ImproperlyConfigured("No URL to redirect to. Provide a next_page.") class LoginView(RedirectURLMixin, FormView): """ Display the login form and handle the login action. """ form_class = AuthenticationForm authentication_form = None template_name = "registration/login.html" redirect_authenticated_user = False extra_context = None @method_decorator(sensitive_post_parameters()) @method_decorator(csrf_protect) @method_decorator(never_cache) def dispatch(self, request, *args, **kwargs): if self.redirect_authenticated_user and self.request.user.is_authenticated: redirect_to = self.get_success_url() if redirect_to == self.request.path: raise ValueError( "Redirection loop for authenticated user detected. Check that " "your LOGIN_REDIRECT_URL doesn't point to a login page." ) return HttpResponseRedirect(redirect_to) return super().dispatch(request, *args, **kwargs) def get_default_redirect_url(self): """Return the default redirect URL.""" if self.next_page: return resolve_url(self.next_page) else: return resolve_url(settings.LOGIN_REDIRECT_URL) def get_form_class(self): return self.authentication_form or self.form_class def get_form_kwargs(self): kwargs = super().get_form_kwargs() kwargs["request"] = self.request return kwargs def form_valid(self, form): """Security check complete. Log the user in.""" auth_login(self.request, form.get_user()) return HttpResponseRedirect(self.get_success_url()) def get_context_data(self, **kwargs): context = super().get_context_data(**kwargs) current_site = get_current_site(self.request) context.update( { self.redirect_field_name: self.get_redirect_url(), "site": current_site, "site_name": current_site.name, **(self.extra_context or {}), } ) return context class LogoutView(RedirectURLMixin, TemplateView): """ Log out the user and display the 'You are logged out' message. """ # RemovedInDjango50Warning: when the deprecation ends, remove "get" and # "head" from http_method_names. http_method_names = ["get", "head", "post", "options"] template_name = "registration/logged_out.html" extra_context = None # RemovedInDjango50Warning: when the deprecation ends, move # @method_decorator(csrf_protect) from post() to dispatch(). @method_decorator(never_cache) def dispatch(self, request, *args, **kwargs): if request.method.lower() == "get": warnings.warn( "Log out via GET requests is deprecated and will be removed in Django " "5.0. Use POST requests for logging out.", RemovedInDjango50Warning, ) return super().dispatch(request, *args, **kwargs) @method_decorator(csrf_protect) def post(self, request, *args, **kwargs): """Logout may be done via POST.""" auth_logout(request) redirect_to = self.get_success_url() if redirect_to != request.get_full_path(): # Redirect to target page once the session has been cleared. return HttpResponseRedirect(redirect_to) return super().get(request, *args, **kwargs) # RemovedInDjango50Warning. get = post def get_default_redirect_url(self): """Return the default redirect URL.""" if self.next_page: return resolve_url(self.next_page) elif settings.LOGOUT_REDIRECT_URL: return resolve_url(settings.LOGOUT_REDIRECT_URL) else: return self.request.path def get_context_data(self, **kwargs): context = super().get_context_data(**kwargs) current_site = get_current_site(self.request) context.update( { "site": current_site, "site_name": current_site.name, "title": _("Logged out"), "subtitle": None, **(self.extra_context or {}), } ) return context def logout_then_login(request, login_url=None): """ Log out the user if they are logged in. Then redirect to the login page. """ login_url = resolve_url(login_url or settings.LOGIN_URL) return LogoutView.as_view(next_page=login_url)(request) def redirect_to_login(next, login_url=None, redirect_field_name=REDIRECT_FIELD_NAME): """ Redirect the user to the login page, passing the given 'next' page. """ resolved_url = resolve_url(login_url or settings.LOGIN_URL) login_url_parts = list(urlparse(resolved_url)) if redirect_field_name: querystring = QueryDict(login_url_parts[4], mutable=True) querystring[redirect_field_name] = next login_url_parts[4] = querystring.urlencode(safe="/") return HttpResponseRedirect(urlunparse(login_url_parts)) # Class-based password reset views # - PasswordResetView sends the mail # - PasswordResetDoneView shows a success message for the above # - PasswordResetConfirmView checks the link the user clicked and # prompts for a new password # - PasswordResetCompleteView shows a success message for the above class PasswordContextMixin: extra_context = None def get_context_data(self, **kwargs): context = super().get_context_data(**kwargs) context.update( {"title": self.title, "subtitle": None, **(self.extra_context or {})} ) return context class PasswordResetView(PasswordContextMixin, FormView): email_template_name = "registration/password_reset_email.html" extra_email_context = None form_class = PasswordResetForm from_email = None html_email_template_name = None subject_template_name = "registration/password_reset_subject.txt" success_url = reverse_lazy("password_reset_done") template_name = "registration/password_reset_form.html" title = _("Password reset") token_generator = default_token_generator @method_decorator(csrf_protect) def dispatch(self, *args, **kwargs): return super().dispatch(*args, **kwargs) def form_valid(self, form): opts = { "use_https": self.request.is_secure(), "token_generator": self.token_generator, "from_email": self.from_email, "email_template_name": self.email_template_name, "subject_template_name": self.subject_template_name, "request": self.request, "html_email_template_name": self.html_email_template_name, "extra_email_context": self.extra_email_context, } form.save(**opts) return super().form_valid(form) INTERNAL_RESET_SESSION_TOKEN = "_password_reset_token" class PasswordResetDoneView(PasswordContextMixin, TemplateView): template_name = "registration/password_reset_done.html" title = _("Password reset sent") class PasswordResetConfirmView(PasswordContextMixin, FormView): form_class = SetPasswordForm post_reset_login = False post_reset_login_backend = None reset_url_token = "set-password" success_url = reverse_lazy("password_reset_complete") template_name = "registration/password_reset_confirm.html" title = _("Enter new password") token_generator = default_token_generator @method_decorator(sensitive_post_parameters()) @method_decorator(never_cache) def dispatch(self, *args, **kwargs): if "uidb64" not in kwargs or "token" not in kwargs: raise ImproperlyConfigured( "The URL path must contain 'uidb64' and 'token' parameters." ) self.validlink = False self.user = self.get_user(kwargs["uidb64"]) if self.user is not None: token = kwargs["token"] if token == self.reset_url_token: session_token = self.request.session.get(INTERNAL_RESET_SESSION_TOKEN) if self.token_generator.check_token(self.user, session_token): # If the token is valid, display the password reset form. self.validlink = True return super().dispatch(*args, **kwargs) else: if self.token_generator.check_token(self.user, token): # Store the token in the session and redirect to the # password reset form at a URL without the token. That # avoids the possibility of leaking the token in the # HTTP Referer header. self.request.session[INTERNAL_RESET_SESSION_TOKEN] = token redirect_url = self.request.path.replace( token, self.reset_url_token ) return HttpResponseRedirect(redirect_url) # Display the "Password reset unsuccessful" page. return self.render_to_response(self.get_context_data()) def get_user(self, uidb64): try: # urlsafe_base64_decode() decodes to bytestring uid = urlsafe_base64_decode(uidb64).decode() user = UserModel._default_manager.get(pk=uid) except ( TypeError, ValueError, OverflowError, UserModel.DoesNotExist, ValidationError, ): user = None return user def get_form_kwargs(self): kwargs = super().get_form_kwargs() kwargs["user"] = self.user return kwargs def form_valid(self, form): user = form.save() del self.request.session[INTERNAL_RESET_SESSION_TOKEN] if self.post_reset_login: auth_login(self.request, user, self.post_reset_login_backend) return super().form_valid(form) def get_context_data(self, **kwargs): context = super().get_context_data(**kwargs) if self.validlink: context["validlink"] = True else: context.update( { "form": None, "title": _("Password reset unsuccessful"), "validlink": False, } ) return context class PasswordResetCompleteView(PasswordContextMixin, TemplateView): template_name = "registration/password_reset_complete.html" title = _("Password reset complete") def get_context_data(self, **kwargs): context = super().get_context_data(**kwargs) context["login_url"] = resolve_url(settings.LOGIN_URL) return context class PasswordChangeView(PasswordContextMixin, FormView): form_class = PasswordChangeForm success_url = reverse_lazy("password_change_done") template_name = "registration/password_change_form.html" title = _("Password change") @method_decorator(sensitive_post_parameters()) @method_decorator(csrf_protect) @method_decorator(login_required) def dispatch(self, *args, **kwargs): return super().dispatch(*args, **kwargs) def get_form_kwargs(self): kwargs = super().get_form_kwargs() kwargs["user"] = self.request.user return kwargs def form_valid(self, form): form.save() # Updating the password logs out all other sessions for the user # except the current one. update_session_auth_hash(self.request, form.user) return super().form_valid(form) class PasswordChangeDoneView(PasswordContextMixin, TemplateView): template_name = "registration/password_change_done.html" title = _("Password change successful") @method_decorator(login_required) def dispatch(self, *args, **kwargs): return super().dispatch(*args, **kwargs)