Adding password reset to login page

[moira-andrews]

For SNEx2, I have tried to add a password reset link on the login page. I have had success accessing the Django default password reset url by adding a template /registration/login.html that includes <a href="{% url 'password_reset' %}" class="text-muted">Forgot your password?</a> and path('accounts/', include('django.contrib.auth.urls')), to my urls.py. I've also updated the settings.py to include the password_reset urls.

AUTH_STRATEGY = 'LOCKED'
OPEN_URLS = [
    '/accounts/password_reset/',
    '/accounts/password_reset/done/',
    '/accounts/reset/done/',
    '/accounts/reset/'
]

The issue I've run into with this is I am able to follow the url to reset my password and input my email. From my email I will get a link with /accounts/reset/<token link> and when I paste this into my url, I get an error that I do not have permission to access the page. When I change AUTH_STRATEGY=READ_ONLY, I am able to access the url /accounts/reset/<token link> sent in the email and change my password. I've tried variations of '/accounts/reset/' in open urls while having AUTH_STRATEGY = 'LOCKED' like '/accounts/reset/*' or even just only including /accounts/, but the only successful method was changing the AUTH_STRATEGY.

[jchate6]

This hits our middleware in tom_common.middleware.AuthStrategyMiddleware
We should consider modifying this to take wildcards so that /accounts/reset/* or similar can be added to Open URLS, or have all of these django reset URLS open by default.

[Fingel]

#1446 should resolve this. Note that this relies on wildcard matching, so you'll need to update your OPEN_URLS setting to include: "/accounts/reset/*/"