Ability to switch off new password confirmation on password change endpoint

2025-07-22 13:39:45 +03:00 · 2015-09-29 13:00:23 +05:00 · 2015-09-29 13:00:23 +05:00 · b56f909002
commit b56f909002
parent d25df33a79
3 changed files with 52 additions and 0 deletions
--- a/docs/configuration.rst
+++ b/docs/configuration.rst
@ -34,3 +34,6 @@ Configuration


 - **OLD_PASSWORD_FIELD_ENABLED** - set it to True if you want to have old password verification on password change enpoint (default: False)
+
+
+- **NEW_PASSWORD_2_FIELD_ENABLED** - set it to False if you don't need new password confirmation (default: True)
--- a/rest_auth/serializers.py
+++ b/rest_auth/serializers.py
@ -182,11 +182,18 @@ class PasswordChangeSerializer(serializers.Serializer):
        self.old_password_field_enabled = getattr(
            settings, 'OLD_PASSWORD_FIELD_ENABLED', False
        )
+
+        self.new_password_2_field_enabled = getattr(
+            settings, 'NEW_PASSWORD_2_FIELD_ENABLED', True
+        )
        super(PasswordChangeSerializer, self).__init__(*args, **kwargs)

        if not self.old_password_field_enabled:
            self.fields.pop('old_password')

+        if not self.new_password_2_field_enabled:
+            self.fields.pop('new_password2')
+
        self.request = self.context.get('request')
        self.user = getattr(self.request, 'user', None)

@ -202,6 +209,10 @@ class PasswordChangeSerializer(serializers.Serializer):
        return value

    def validate(self, attrs):
+
+        if not self.new_password_2_field_enabled:
+            attrs['new_password2'] = attrs['new_password1']
+
        self.set_password_form = self.set_password_form_class(
            user=self.user, data=attrs
        )
--- a/rest_auth/tests.py
+++ b/rest_auth/tests.py
@ -282,6 +282,44 @@ class APITestCase1(TestCase, BaseAPITestCase):
        login_payload['password'] = new_password_payload['new_password1']
        self.post(self.login_url, data=login_payload, status_code=200)

+    @override_settings(OLD_PASSWORD_FIELD_ENABLED=True, NEW_PASSWORD_2_FIELD_ENABLED=False)
+    def test_password_change_without_confirmation(self):
+        login_payload = {
+            "username": self.USERNAME,
+            "password": self.PASS
+        }
+        get_user_model().objects.create_user(self.USERNAME, '', self.PASS)
+        self.post(self.login_url, data=login_payload, status_code=200)
+        self.token = self.response.json['key']
+
+        new_password_payload = {
+            "old_password": "%s!" % self.PASS,  # wrong password
+            "new_password1": "new_person",
+        }
+        self.post(
+            self.password_change_url,
+            data=new_password_payload,
+            status_code=400
+        )
+
+        new_password_payload = {
+            "old_password": self.PASS,
+            "new_password1": "new_person",
+        }
+
+        self.post(
+            self.password_change_url,
+            data=new_password_payload,
+            status_code=200
+        )
+
+        # user should not be able to login using old password
+        self.post(self.login_url, data=login_payload, status_code=400)
+
+        # new password should work
+        login_payload['password'] = new_password_payload['new_password1']
+        self.post(self.login_url, data=login_payload, status_code=200)
+
    def test_password_reset(self):
        user = get_user_model().objects.create_user(self.USERNAME, self.EMAIL, self.PASS)