From 28e712cf4b4784522589f4678ccf0d2a26e8cbb3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Va=C5=A1ek=20Dohnal?= Date: Wed, 25 Oct 2017 15:09:44 +0200 Subject: [PATCH 1/3] Password whitespace and input in browsable API - Do not trim password whitespace (`trim_whitespace`, see: http://www.django-rest-framework.org/api-guide/fields/#charfield) - Mask password input (inspired by https://github.com/encode/django-rest-framework/blob/master/rest_framework/authtoken/serializers.py#L11-L12) --- rest_auth/registration/serializers.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rest_auth/registration/serializers.py b/rest_auth/registration/serializers.py index c6b5d5b..ac5ad02 100644 --- a/rest_auth/registration/serializers.py +++ b/rest_auth/registration/serializers.py @@ -125,8 +125,8 @@ class RegisterSerializer(serializers.Serializer): required=allauth_settings.USERNAME_REQUIRED ) email = serializers.EmailField(required=allauth_settings.EMAIL_REQUIRED) - password1 = serializers.CharField(write_only=True) - password2 = serializers.CharField(write_only=True) + password1 = serializers.CharField(write_only=True, style={'input_type': 'password'}, trim_whitespace=False) + password2 = serializers.CharField(write_only=True, style={'input_type': 'password'}, trim_whitespace=False) def validate_username(self, username): username = get_adapter().clean_username(username) From cfe6c5b6933b5406a601707734d795cf462e81ed Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Va=C5=A1ek=20Dohnal?= Date: Wed, 25 Oct 2017 15:17:01 +0200 Subject: [PATCH 2/3] Use same password fields for login and registration. --- rest_auth/serializers.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rest_auth/serializers.py b/rest_auth/serializers.py index c5dad7d..46cbb48 100644 --- a/rest_auth/serializers.py +++ b/rest_auth/serializers.py @@ -19,7 +19,7 @@ UserModel = get_user_model() class LoginSerializer(serializers.Serializer): username = serializers.CharField(required=False, allow_blank=True) email = serializers.EmailField(required=False, allow_blank=True) - password = serializers.CharField(style={'input_type': 'password'}) + password = serializers.CharField(write_only=True, style={'input_type': 'password'}, trim_whitespace=False) def _validate_email(self, email, password): user = None From dfe3f12356db3028f18c06c3fed97e5feac275b0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Va=C5=A1ek=20Dohnal?= Date: Wed, 25 Oct 2017 15:21:53 +0200 Subject: [PATCH 3/3] Use same password fields for PasswordChangeSerializer and PasswordResetConfirmSerializer. Thanks @sloria --- rest_auth/serializers.py | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/rest_auth/serializers.py b/rest_auth/serializers.py index 46cbb48..142c6b2 100644 --- a/rest_auth/serializers.py +++ b/rest_auth/serializers.py @@ -187,8 +187,8 @@ class PasswordResetConfirmSerializer(serializers.Serializer): """ Serializer for requesting a password reset e-mail. """ - new_password1 = serializers.CharField(max_length=128) - new_password2 = serializers.CharField(max_length=128) + new_password1 = serializers.CharField(write_only=True, style={'input_type': 'password'}, trim_whitespace=False) + new_password2 = serializers.CharField(write_only=True, style={'input_type': 'password'}, trim_whitespace=False) uid = serializers.CharField() token = serializers.CharField() @@ -224,9 +224,9 @@ class PasswordResetConfirmSerializer(serializers.Serializer): class PasswordChangeSerializer(serializers.Serializer): - old_password = serializers.CharField(max_length=128) - new_password1 = serializers.CharField(max_length=128) - new_password2 = serializers.CharField(max_length=128) + old_password = serializers.CharField(write_only=True, style={'input_type': 'password'}, trim_whitespace=False) + new_password1 = serializers.CharField(write_only=True, style={'input_type': 'password'}, trim_whitespace=False) + new_password2 = serializers.CharField(write_only=True, style={'input_type': 'password'}, trim_whitespace=False) set_password_form_class = SetPasswordForm