I am implementing Django Password Reset to send a recovery password link when the user type his/her email id using django.contrib.auth.urls, which works as perfectly.
This is from Django Documentation,
If the email address provided does not exist in the system, the user is inactive, or has an unusable password, the user will still be redirected to this view but no email will be sent.
My question is,
how to add EmailValidation to check if the user typed email exists in the database or not and raise ValidationError.
Also from the documentation at: https://docs.djangoproject.com/en/3.0/topics/auth/default/#django.contrib.auth.views.PasswordResetView
If the email address provided does not exist in the system, this view won’t send an email, but the user won’t receive any error message either. This prevents information leaking to potential attackers. If you want to provide an error message in this case, you can subclass PasswordResetForm
and use the form_class
attribute.
(Emphasis mine) If you notice from other sites you may use, this is a common practice. A site generally doesn’t want to advertise what accounts are active - it helps reduce the surface area on which an attack can be made.
1 Like
If you want to add such validation to the password reset form, I suggest not doing it. By validating email address on that form you’re giving potential hackers a valuable information about existence/non-existence of a particular email address in your database.
1 Like
very thanks for your reply