Add throttling to password reset

.gitignore

@@ -9,4 +9,5 @@ build/
 .tox/
 db.sqlite3
 dist/
+.DS_Store
 

django_rest_passwordreset/tests/test_throttle.py

@@ -0,0 +1,54 @@
+from django.urls import reverse
+from rest_framework.test import APIClient, APITestCase
+from django.contrib.auth.models import User
+from django.contrib.auth import get_user_model
+from django_rest_passwordreset.models import ResetPasswordToken
+
+
+User = get_user_model()
+
+
+class TestThrottle(APITestCase):
+    def setUp(self):
+        self.client = APIClient()
+
+        self.user_1 = User.objects.create_user(username='user_1', password='password', email='user@test.local')
+        self.user_admin = User.objects.create_superuser(username='admin', password='password', email='admin@test.local')
+
+    def test_0001_login(self):
+
+        # generate token
+        url = reverse('password_reset:reset-password-request')
+        data = {'email': self.user_1.email}
+        response = self.client.post(url, data).json()
+
+        self.assertIn('status', response)
+        self.assertEqual(response['status'], 'OK')
+
+        # test validity of the token
+        token = ResetPasswordToken.objects.filter(user=self.user_1).first()
+        url = reverse('password_reset:reset-password-validate')
+        data = {'token': token.key}
+        response = self.client.post(url, data).json()
+
+        self.assertIn('status', response)
+        self.assertEqual(response['status'], 'OK')
+
+        # reset password
+        url = reverse('password_reset:reset-password-confirm')
+        data = {'token': token.key, 'password': 'new_password'}
+        response = self.client.post(url, data).json()
+
+        # check if new password was set
+        self.assertTrue(token.user.check_password('new_password'))
+        self.assertFalse(token.user.check_password('password'))
+
+    def test_0002_throttle(self):
+
+        # first run on test_0001_login
+        # x number of runs (adjust number of calls to the throttle settings)
+        for i in range(1):
+            self.test_0001_login()
+
+        # last run should raise an exception
+        self.assertRaises(Exception, self.test_0001_login())

django_rest_passwordreset/views.py

@@ -11,6 +11,7 @@
 from rest_framework.generics import GenericAPIView
 from rest_framework.response import Response
 from rest_framework.viewsets import GenericViewSet
+from rest_framework.throttling import AnonRateThrottle
 
 from django_rest_passwordreset.models import ResetPasswordToken, clear_expired, get_password_reset_token_expiry_time, \
     get_password_reset_lookup_field
@@ -103,6 +104,14 @@ def generate_token_for_email(email, user_agent='', ip_address=''):
             )
 
 
+class CustomResetPasswordThrottle(AnonRateThrottle):
+    rate = '3/day'  # Adjust this rate as needed
+
+    def get_cache_key(self, request, view):
+        # Use IP address for throttling to prevent abuse
+        return self.get_ident(request)
+
+
 class ResetPasswordValidateToken(GenericAPIView):
     """
     An Api View which provides a method to verify that a token is valid
@@ -185,7 +194,7 @@ class ResetPasswordRequestToken(GenericAPIView):
 
     Sends a signal reset_password_token_created when a reset token was created
     """
-    throttle_classes = ()
+    throttle_classes = (CustomResetPasswordThrottle,)
     permission_classes = ()
     serializer_class = EmailSerializer
     authentication_classes = ()