Hi there,
In one of my Django projects I’m using the provided authentication. I recently had a lot of troubles with the password reset link. The generated link was working fine in the unit tests and when copy-and-paste-ing it from the email; yet clicking the link from the email message resulted in opening the password reset view with the error of invalid token.
It took me a while to find the root cause of this issue: the SESSION_COOKIE_SAMESITE setting was set to Strict, yet in order to have the password reset link properly working it must be Lax (or None).
I think this should be made more clear in the documentation (https://docs.djangoproject.com/en/3.0/topics/auth/default/) and possibly a Django check (https://docs.djangoproject.com/en/3.0/ref/django-admin/#check) should be added to alert a wrong setting when the authentication links are included in a site.
Should I open a bug report for this?
Thanks