Resetting Passwords8:41 with Kenneth Love
Users are only human and sometimes they forget or lose their passwords. We're nice developers, though, and want to provide them an easy way to reset them.
One of the best things about this "I forgot my password" workflow is something you might not think about: it's done through email so people can't easily reset your password out from under you. I know this isn't an uncommon feature, but it's still a nice thing to have.
If you want to know more about Django's email backends, check out the docs.
There are a lot of different workflows out there for resetting a forgotten password. 0:00 Some sites make you answer security questions, 0:05 the answers to these are often pretty easy to figure out through a bit of internet 0:07 sleuthing, I'd rather not do that. 0:10 With two-factor auth, you could send the user a message through text or whatever. 0:13 And if they have that code you could just sign them in and 0:17 make them reset the password that way. 0:20 This is a good solution but sending text messages probably deserves its own course, 0:22 not to mention there are a lot of user experience problems with requiring SMS. 0:26 Django default answer to forgotten passwords is a really good one, 0:31 Django generates a message which gets sent to the user by email along with a URL. 0:35 This message is an HMAC message which means it's cryptographically secure and 0:39 able to be verified, both for authentication and data integrity. 0:43 In other words, it can be verified for who sent it and 0:47 if the contents weren't tampered with. 0:50 Once the user clicks that link, 0:52 they'll be presented with a form to enter a new password. 0:53 This feature is a bit bigger than the ones I've covered so far. 0:56 When you're ready for it, I'll see you in work spaces. 0:59 Like the log in view and the log out of you, and all these others that we've 1:02 been dealing with, Django actually already has views and 1:07 URLs set up for the whole password reset workflow. 1:10 Now I've tested them out, and 1:14 I like them well enough except for, as you might guess, the templates that are used. 1:16 For instance, let me just show you here, it's password_reset. 1:22 This is basically the admin templates and 1:28 I'm not using the admin it says Django administration and all that kind of stuff. 1:30 I don't want these to show up to my users. 1:33 Okay, so I'm just gonna replace this template. 1:36 So here inside registration I will make a new file which is 1:39 password_reset_form.html because we're showing the password reset form. 1:44 Now I happen to have the code already in my paste bin or copied. 1:49 This is the same as the log in template with the exception of this little 1:58 bit of text right here and this says Send me instructions instead of log in. 2:03 So feel free to read this look at the workspace and 2:08 find it the text here doesn't really matter. 2:11 So if I go and refresh this view, I now get this much more interesting one. 2:15 So if I put in my email address and 2:20 I hit Send me instructions, then I get this message. 2:23 I get this new template, and it says the password reset was sent. 2:29 We've emailed you your instructions for setting your password. 2:31 But it doesn't actually. 2:34 Now this is a little quirk of Workspaces. 2:36 It's saying that it sent me the password, or the email, it really didn't. 2:40 If you're following along at home and you're not using WorkSpaces, 2:43 you probably just got an error message saying that there's no email server, 2:47 which there isn't, which is why this doesn't send me an email. 2:51 WorkSpaces has apparently some sort of server that it can connect to on what it 2:53 sees as being normal email ports and 2:57 it thinks that it sent the email, but it didn't. 3:01 And so what I'm gonna do is make it so that it actually does give me an email. 3:02 And Django doesn't expect you to always be able to send emails. 3:07 It doesn't always expect you to always have an email server. 3:10 For development it has a couple of extra email back ins that it can use 3:12 that make it a little easier to see what's going on. 3:17 One of those, is it just prints the emails to the console but 3:19 that's not always so easy to view. 3:22 The one that I like to use when I'm doing development and 3:24 that I'm going to use right now is the text based or the file based backend. 3:27 So inside of settings.pi I'm gonna 3:34 add EMAIL_BACKEND which is going to be equal to 3:36 django.core.mail.backends.filebased.Email- Backend. 3:41 So this is a file based email backend. 3:49 And the email file path, which is where Django should store the files, 3:53 is going to be os.path.join(BASE_DIR, "sent_emails"). 4:01 So just two settings, that's all I need to add for this. 4:08 Now, if I come back over here and 4:13 I refresh this, then it says the password was resent. 4:16 And let me refresh the File view here and, 4:20 I don't see sent passwords. 4:26 So let's try going back all the way to here and submitting this again. 4:30 All right, and now I'll refresh this. 4:36 There we go, sent_emails and 4:41 inside here is this file which has the date and a bunch of other stuff. 4:43 And Django can't open this cuz it says .log, 4:49 but let's just rename it so that is .txt. 4:54 Sorry Django can't open it, Workspaces can't open it. 4:59 But if we change it to .txt then you can see what it says. 5:06 So here you can see that it's going to my teamtreehouse and 5:10 we requested a password reset. 5:14 So okay, cool, 5:15 first though I wanna change this template and then I'll go check out this view. 5:18 So this template is a new file that 5:24 we're gonna make which is password_reset_done.html. 5:29 So inside of here I'm just gonna bring in a little bit of text. 5:35 And I don't actually need that bootstrap3 there. 5:39 So this just says, email was sent and 5:43 says hey if you have an email address then we've sent you one. 5:45 So let me refresh this, there we go check your inbox. 5:48 Okay, so now let's see about the email that Django sent me. 5:53 So I've already looked at it and we can see what it says, 5:58 but let's actually see what happens when we go to this. 6:01 A whole new thing, right? 6:07 If I come to this link, this is what I get. 6:10 So, again, not a fan of this template. 6:13 So I'm gonna change this one as well. 6:16 So, inside of registration make a new file and 6:19 this is password_reset_confirm.html. 6:23 So this is the page for confirming that you want to reset your password and 6:28 you're gonna type in your new password. 6:33 Let me grab that text as well and again bootstrap3, 6:35 printing out of form and just a little bit of text, right? 6:41 So, the refresh says, you know hey we don't know what's going on? 6:46 But I need to put in this information. 6:51 All right, so, Django doesn't actually know what my old password was. 6:52 So, if I put in the same password again, which is test password, 6:58 Django won't know and it's just like, okay cool, good job, you changed the password. 7:02 So I hit changed it and I'll get sent to this password reset complete template, 7:08 which as you can assume, is again not a template I'm really happy with. 7:13 So, I'm gonna change it this one. 7:18 And this is password_reset_complete.html 7:20 because we're done with changing this template. 7:26 So let me grab this HTML as well, paste that in and save it. 7:32 And if I load that page again, I get All done! 7:38 Your password's been set! 7:42 You should be all set to log in. 7:43 Click that log in link and I get to go log in, and 7:46 this should still work because I haven't changed this at all. 7:49 And I'm logged in, great. 7:54 It's really nice of Django to provide so many of the tools we need for 7:57 authentication and registration workflows. 8:01 This is the best thing about using frameworks. 8:03 You get to focus on the more interesting parts of being a developer and 8:05 making projects, and the framework handles the more boring repetitious bits. 8:08 So now for a really important decision. 8:13 Sometimes projects work great with Django's default users. 8:15 You don't mind users having a username and using that to log in. 8:18 You're okay with users having the default fields, and only the default fields. 8:22 Sometimes though, you want users to have special fields or information or 8:26 you want them to log in with just an email address and not a user name. 8:30 Thankfully, Django's authentication tools are flexible and 8:33 let you create users just like you need them. 8:36 I'll see you in the next stage to learn all about custom users. 8:38
You need to sign up for Treehouse in order to download course files.Sign up