Merge pull request #54 from stan-sack/always_return_200

anx-ckreuzberger · web-flow · commit 2d4aaf6f35e4 · 2019-07-29T13:29:09.000+02:00
Implement DJANGO_REST_PASSWORDRESET_NO_INFORMATION_LEAKAGE setting
diff --git a/README.md b/README.md
@@ -65,6 +65,9 @@ The following settings can be set in Djangos ``settings.py`` file:
 
   **Please note**: expired tokens are automatically cleared based on this setting in every call of ``ResetPasswordRequestToken.post``.
 
+* `DJANGO_REST_PASSWORDRESET_NO_INFORMATION_LEAKAGE` - will cause a 200 to be returned on `POST ${API_URL}/reset_password/`
+  even if the user doesn't exist in the databse (Default: False) 
+
 * `DJANGO_REST_MULTITOKENAUTH_REQUIRE_USABLE_PASSWORD` - allows password reset for a user that does not 
   [have a usable password](https://docs.djangoproject.com/en/2.2/ref/contrib/auth/#django.contrib.auth.models.User.has_usable_password) (Default: True)
  
diff --git a/django_rest_passwordreset/views.py b/django_rest_passwordreset/views.py
@@ -118,7 +118,8 @@ def post(self, request, *args, **kwargs):
                 active_user_found = True
 
         # No active user found, raise a validation error
-        if not active_user_found:
+        # but not if DJANGO_REST_PASSWORDRESET_NO_INFORMATION_LEAKAGE == True
+        if not active_user_found and not getattr(settings, 'DJANGO_REST_PASSWORDRESET_NO_INFORMATION_LEAKAGE', False):
             raise exceptions.ValidationError({
                 'email': [_(
                     "There is no active user associated with this e-mail address or the password can not be changed")],
diff --git a/tests/test/test_auth_test_case.py b/tests/test/test_auth_test_case.py
@@ -227,6 +227,14 @@ def test_signals(self,
         self.assertTrue(mock_post_password_reset.called)
         self.assertTrue(mock_pre_password_reset.called)
 
+    @override_settings(DJANGO_REST_PASSWORDRESET_NO_INFORMATION_LEAKAGE=True)
+    def test_try_reset_password_email_does_not_exist_no_leakage_enabled(self):
+        """ 
+        Tests requesting a token for an email that does not exist when
+        DJANGO_REST_PASSWORDRESET_NO_INFORMATION_LEAKAGE == True
+        """ 
+        response = self.rest_do_request_reset_token(email="foobar@doesnotexist.com")
+        self.assertEqual(response.status_code, status.HTTP_200_OK)
     def test_user_without_password(self):
         """ Tests requesting a token for an email without a password doesn't work"""
         response = self.rest_do_request_reset_token(email="user4@mail.com")
