I'm building an api for a mobile app. The mobile client has full support for cookies so I want to use SessionAuthentication. After following the Django rest framework tutorial how would you configure the api and interact with it to reset a user's password?
I know Django exposes these paths
accounts/login/ [name='login']
accounts/logout/ [name='logout']
accounts/password_change/ [name='password_change']
accounts/password_change/done/ [name='password_change_done']
accounts/password_reset/ [name='password_reset']
accounts/password_reset/done/ [name='password_reset_done']
accounts/reset/<uidb64>/<token>/ [name='password_reset_confirm']
accounts/reset/done/ [name='password_reset_complete']
Note I'm not using BasicAuthentication, I'm using SessionAuthentication. What http requests should a mobile client make?
To use the Django built in Auth flows using SessionAuthentication you should use a browser. See
Warning: Always use Django's standard login view when creating login pages. This will ensure your login views are properly protected.http://www.django-rest-framework.org/api-guide/authentication/#sessionauthenticationIn a phone app you shouldn't have to worry about cross site scripting so it's okay to use token authentication and store the token on the phone.
You'll still want to use
SessionAuthenticationfor Django-Rest-Framework's browsable api. Remember to forceHttpOnlycookies and disable the browsable api in production. You can later build a Single Page Application that relies on the same approach as the mobile app but ensure any tokens are stored as secure cookies.For reset password flow in drf try https://github.com/anx-ckreuzberger/django-rest-passwordreset