Rest auth #79
Rest auth #79
Conversation
nopassword/backends/email.py
Outdated
|
|
||
| def send_login_code(self, code, secure=False, host=None, **kwargs): | ||
| subject = getattr(settings, 'NOPASSWORD_LOGIN_EMAIL_SUBJECT', _('Login code')) |
There was a problem hiding this comment.
Backward incompatible: Instead of a custom setting, we use a template instead (like django auth forms/views)
There was a problem hiding this comment.
Why do we want to use templates for this? Subjects can only be plain text in one line, so this feels a bit like we introduce a breaking change in configuration that is not really giving us anything?
There was a problem hiding this comment.
It would be consistent with django default auth forms: https://github.com/django/django/blob/2.1/django/contrib/auth/forms.py#L239
Also it would be consisent to also use a template for the subject, not only for the message itself.
A use case I could think of where it might be desired is to have the site name in the subject, e.g. [example.com] Login with one-time password, where the current site is dependent on the request (sites framework).
nopassword/urls.py
Outdated
| @@ -5,23 +5,10 @@ | |||
|
|
|||
| urlpatterns = [ | |||
| url( | |||
| r'^login/$', | |||
There was a problem hiding this comment.
Backward incompatible: Renamed urls to reflect view name changes.
|
@relekang Are the breaking changes acceptable in your opinion? If so, how should the they be handled?
|
|
Thanks @rubengrill, api endpoints is a good addition. I am leaving for vacation today so will review this in about two weeks, the pr is quite large so I won't manage it before I leave. Thank you for your patience ✌️ |
|
@rubengrill Thanks, I'm already using your PR for local development. |
There was a problem hiding this comment.
@rubengrill I finally got some time to look this over. Over all it looks great 👏 I left some questions and comments. Before we can merge this all the changes that have done, on configuration and usage needs to be reflected in the documentation.
Could you also reword the commits to use conventional commits?
nopassword/backends/email.py
Outdated
|
|
||
| def send_login_code(self, code, secure=False, host=None, **kwargs): | ||
| subject = getattr(settings, 'NOPASSWORD_LOGIN_EMAIL_SUBJECT', _('Login code')) |
There was a problem hiding this comment.
Why do we want to use templates for this? Subjects can only be plain text in one line, so this feels a bit like we introduce a breaking change in configuration that is not really giving us anything?
nopassword/backends/email.py
Outdated
| msg = EmailMultiAlternatives(subject, text_content, from_email, to_email) | ||
| msg.attach_alternative(html_content, 'text/html') | ||
| msg.send() | ||
| if self.html_template_name is not None: |
There was a problem hiding this comment.
What is the benefit of this change? In my opinion we should strive for an easier solution to adopt for the user than needing to extend the class. It would be perfect if the template existed then we would send the html version.
| @@ -0,0 +1,14 @@ | |||
| {% load i18n %}{% autoescape off %} | |||
There was a problem hiding this comment.
This seems like the text based email? Why does it have an html file ending?
There was a problem hiding this comment.
yes that's nonsense, I will change to be txt
requirements.txt
Outdated
| @@ -1,4 +1,4 @@ | |||
| twilio==5.4.0 | |||
| mock>=1.0 | |||
| djangorestframework<=4.0 | |||
There was a problem hiding this comment.
Shouldn't this be the same as in setup.py?
There was a problem hiding this comment.
Yes, that's right
There was a problem hiding this comment.
Hi @relekang , Thanks for your comments!
Just to be sure:
Before we can merge this all the changes that have done, on configuration and usage needs to be reflected in the documentation.
This means documenting the breaking changes and different usage is enough, it will be a new major version and there doesn't need to be code for backward compatibility?
Please check my comments to discuss the breaking changes. Afterwards I will start with integrating the feedback, changing the documentation and rewording the commits.
Thanks again for your time and feedback! :)
nopassword/backends/email.py
Outdated
|
|
||
| def send_login_code(self, code, secure=False, host=None, **kwargs): | ||
| subject = getattr(settings, 'NOPASSWORD_LOGIN_EMAIL_SUBJECT', _('Login code')) |
There was a problem hiding this comment.
It would be consistent with django default auth forms: https://github.com/django/django/blob/2.1/django/contrib/auth/forms.py#L239
Also it would be consisent to also use a template for the subject, not only for the message itself.
A use case I could think of where it might be desired is to have the site name in the subject, e.g. [example.com] Login with one-time password, where the current site is dependent on the request (sites framework).
nopassword/backends/email.py
Outdated
| msg = EmailMultiAlternatives(subject, text_content, from_email, to_email) | ||
| msg.attach_alternative(html_content, 'text/html') | ||
| msg.send() | ||
| if self.html_template_name is not None: |
There was a problem hiding this comment.
The idea was to be consistent with how django default auth form/view handles that:
https://github.com/django/django/blob/2.1/django/contrib/auth/views.py#L211
https://github.com/django/django/blob/2.1/django/contrib/auth/forms.py#L268
I don't exactly know why django does it this way but I can imagine that providing a default html email template would just be too opinonated, as you want to use html templates to include headers, logos, tables, containers, ... so any default template will have to be changed by the vendor either way.
But you are absolutely right, providing a custom backend just to use a html template seems to be too much work (I guess same applies to the django views/forms here...).
I just saw that allauth has a neat approach:
It also doesn't provide a default html template, but at least it tries to render the html template.
When there is a TemplateDoesNotExist exception, it ignores this template.
Should we use this approach, to set html_template_name with a default, but we don't provide that template and wrap rendering in a try/catch?
| @@ -0,0 +1,14 @@ | |||
| {% load i18n %}{% autoescape off %} | |||
There was a problem hiding this comment.
yes that's nonsense, I will change to be txt
requirements.txt
Outdated
| @@ -1,4 +1,4 @@ | |||
| twilio==5.4.0 | |||
| mock>=1.0 | |||
| djangorestframework<=4.0 | |||
There was a problem hiding this comment.
Yes, that's right
|
@rubengrill I have a pretty busy week, but will look into all your comments on the end of the week.
Yes, and all the breaking changes that I did not comment on in the first review I agree with fully 👍 |
|
Hi @relekang, great, then I'll wait for your final comments to start with the fixes. |
|
I think I commented on all your questions now 😊 |
|
All fixes have been addressed, except this:
I also renamed the views/forms, I'm very sorry for this confusion. |
|
The updated changes looks good to me, great work 😊 |
|
Docs are updated now, last step is rewording commits to confirm to conventional commits, I'll do this after the docs are approved as well, as I don't know how rebasing will affect the comments in this PR and might make review harder. I will also add some new issues we should address before releasing a new version. |
|
The changes looks good 👍 Missed this earlier why did the test setup change to sqlite? |
nopassword/backends/base.py
Outdated
| def verify_user(self, user): | ||
| return user.is_active | ||
| timeout = getattr(settings, 'NOPASSWORD_LOGIN_CODE_TIMEOUT', 900) | ||
| timestamp = datetime.now() - timedelta(seconds=timeout) |
There was a problem hiding this comment.
Please use timezone provided by django instead of datetime.
|
I had some problems to get the tests running with the default configuration, some local problems with my postgresql database and some warnings of an outdated pip dependency. |
An authentication backend should return a user or None. Returning a LoginCode does not comply with that spec. Also, for some authentication backends it is a problem if no password is given (e.g. allauth backend). Checking if a user exists and creating a login code in the form should be more stable this way.
Makes more sense from outside of nopassword, as requesting a login code is the entry point of the login process. This way the default value of LOGIN_URL (`/accounts/login/`) is correctly opening the login code request page.
rubengrill
force-pushed
the
rest-auth
branch
from
09deab8 to
3ebc7a2
Compare
|
Renamed the first commits to confirm to conventional commits. |
|
I think we can keep the sqlite for now. It seems CI is not working, so I will run all tests locally tomorrow and merge if it is all green. Great work @rubengrill 👏 |
|
Awesome, looking forward to see it merged :) |
|
Thanks @rubengrill 👍 |
This PR adds a rest api (#71) and support for Django 2.0.
I also dropped support for Django < 1.11 to not waste time implementing the rest api.
In #52 it is briefly discussed to follow Django's recommendation here, to support what Django supports.
I did some backward incompatible changes, I will document those changes later in this PR to discuss if those are acceptable and if they are, what the strategy should be to handle those changes (new major version, deprecation warnings...).
In "Refactor forms" some changes are made to allow easier customization of the sent emails, following the design of Django's auth views/forms.