serializers fails to sanitize the email in the ResetPasswordRequestToken view

Question

serializers fails to sanitize the email in the ResetPasswordRequestToken view

JoueBien opened this issue 3 years ago · comments

The route

`/rest-auth/password_reset/`

is able to accept malformed emails. The sanitization doesn't strip leading or trailing spaces. This along with

DJANGO_REST_PASSWORDRESET_NO_INFORMATION_LEAKAGE = True

means that users can end up getting stuck with not getting a re-set email even if they entered in a seemingly valid email.

The change I would suggest is with ResetPasswordRequestToken@POST:

# this 
email = serializer.validated_data['email']
# should probably be this
email = serializer.validated_data['email'].strip()

There probably should be a regression test added to your test suite as well.

Harald Nezbeda · Answer 1 · Thu Aug 19 2021 01:44:54 GMT+0800 (China Standard Time)

Thanks for the detailed description 👍, this is indeed something that can cause problems.

We intend to go ahead and use a custom lookup (#93) field in future, so we don't necessary stick to email.

What I would suggest instead is to add an additional configuration:

DJANGO_REST_PASSWORDRESET_STRIP_LOOKUP_FIELD_INPUT = True

By defaulting it to False we should avoid any regressions. What do you think?

Zach Radloff · Answer 2 · Thu Aug 19 2021 13:44:19 GMT+0800 (China Standard Time)

Yeah, I think that will work well along with keeping things with the existing default so we don't unexpectedly change the behaviour when people start a new project or run a deployment.