We should add documentation to each endpoint.

After following the installation instructions for Token Based Authentication I keep getting the above error. I'm using django 1.8.3 and DRF 3.1.3.

Is it possible that the version on pip is different from the one on Github?

Issues #12 and #26 show that we need to explain in documentation why password reset and account activation API use POST methods and what's needed to handle them.

AttributeError at /auth/register
'UserRegistrationSerializer' object has no attribute 'init_data'

I was trying to create a new user by issuing a POST request to /auth/register. Exception location is at djoser/djoser/serializers.py in save, line 34

Here are my package versions -

Django==1.7.1
djangorestframework==3.0.0
djoser==0.1.0

Can you tell me why this is happenning?

https://github.com/sunscrapers/djoser#register

Is:
If LOGIN_AFTER_ACTIVATION is True, you will receive authentication token within response.
Should be:
If LOGIN_AFTER_REGISTRATION is True, you will receive authentication token within response.

I integrated Djoser in my Django project. The api endpoint provided are all working fine, but when I browse to the Swagger docs, it throws the following error, saying AssertionError: 'RootView' should either include a 'serializer_class' attribute, or override theget_serializer_class()method.

Here is the screenshot:-

Is that a bug?

In this line: https://github.com/sunscrapers/djoser/blob/master/djoser/views.py#L125 there is a check if user has unusable password and such user is ignored when generating password reset email for him. What's the reason for that?

When I'm doing POST to this endpoint auth_user.last_login is always not set. Python 3.4/Postgres9.4/Djoser 0.3.0/Django 1.8.2

Also lastest version on pypi 0.2.0 - https://pypi.python.org/pypi/djoser/0.2.0, there is no tar.gz source archive attached

$ pip install djoser==0.2.0
Downloading/unpacking djoser==0.2.0
     Could not find a version that satisfies the requirement djoser==0.2.0 (from versions: 0.0.1, 0.0.2, 0.0.3, 0.1.0)
 Cleaning up...
 No distributions matching the version for djoser==0.2.0

I have noticed that the djoser version installed from pypi assumes no trailing slash is found at the end of the URL, while the current urls.py does assume trailing slash. I'd assume that it's because the pypi version is out of sync with the github one. Any plans to update it?

Hi guys, really glad I found this app, it's helping me a lot. One of the reasons is how straight-forward it is to customise behaviour like this compared to the other apps, but have one question. I want to have html templates for activation/reset. Currently I'm overriding the activation view like this:

class CustomRegistrationView(RegistrationView):
    """
    Override the Djoser view to provide an html template for activation email.
    """

    def get_send_email_extras(self):
        extras = super(CustomRegistrationView, self).get_send_email_extras()
        extras['html_body_template_name'] = 'activation_email_body.html'
        return extras

Is there an easier way of doing this? Would you guys consider looking for html templates by default or adding a config option for it? Cheers!

hi Guys,

I do like the product.

The following is the feedback and questions:

/password/reset

If you provide invalid email it does return you 200 HTTP code and doesn't tell you that email is not found in the database. I'd like to get a different response back, such as 404 with "details": "such email doesn't exists"

How to integrate with custom model inherited from django.contrib.auth.user model?

Would be awesome if small tutorial is provided

Update profile - 3 methods?

What's the motivation to make a 3 different methods to update profile /me and POST /username, POST /password? I think it's nicer to just call PUT /me method to update username, password. Otherwise a client should hit 3 different API endpoints.

How to update other fields of profile with PUT /me?

It seems right now it only updates email field and nothing else. What about first_name, last_name? What about other custom fields of the model (question #2 above)?

HTTP Error codes (404, 422)

For example when you do POST /login with non-existing username you get this

400
{
  "non_field_errors": [
    "Unable to login with provided credentials."
  ]
}

but it's correct request, while the response says: 400 (Bad Request). It would be nicer to have 404, error.

Also when you do POST /register and provide non-unique username you get this:

400
{
  "username": [
    "This field must be unique."
  ]
}

however this is a business logic error and code 422 is better for such use case

Generic message

If I do POST /username and provide incorrect value of current_password I get this:

400
{
  "current_password": [
    "Invalid password."
  ]
}

Which makes it hard for the client (say Android mobile app) as I need to know and define maps ahead of time.

Would not it better to return something like this:

422
{
  "errors": 
      [
           {"field": "password", "message""Invalid password provided"},
           ....
     ]
}

the same would be for registration and other methods. That way I don't need to define the model for each JSON response body, as they're all generic. Otherwise for each API call you have to create a custom parser (and you have to know all the fields ahead of time).

Validation for Incorrect request

If I do:
PUT /me

{
    "email": "[email protected]",
    "eeee": "jim",
    "zzz": "smith"
}

I'll get 200 HTTP code back:

{
  "email": "[email protected]",
  "id": 1,
  "username": "admin"
}

However the example above submitted 2 random fields. I would value if API return something like this:

422 or 400
{
  "errors": 
      [
           {"field": "eee", "message""Unknown field"},
           {"field": "zzz", "message""Unknown field"},
           ....
     ]
}

I've done some testing, and I'm puzzled about the /password/reset/confirm endpoint. I'm probably missing something obvious...

The password-reset email will contain a link of the form /password/reset/confirm/{id}/{token}. Your documentation says this is a POST endpoint. yet the browser will issue a GET when the user clicks on the link. How does this work?

The URLconf has the regex r'^password/reset/confirm$', yet the link will be /password/reset/confirm/{id}/{token} . The regex includes the EOL match, so I don't see how this can ever match the URL.

In the ActionViewMixin, it appears that request.DATA expects the uid and token to have been sent in via a query string. It also seems to expect the new_password to be present, otherwise self.get_serializer() returns False. Is this correct?

I just wanted to confirm that there isn't an easier way to customize the templates, other than:

1. Subclass the views that use templates.
2. Create and include my own version of djoser.urls

Correct?

For instance, login and logout clash with standard Django registration urls.

AttributeError at /auth/password/reset/
'Settings' object has no attribute 'DJOSER'

Ticketing this up as a reminder to add this to the REST framework documentation and the django packages DRF grid.

It would great to support the following project that implements JWT auth backend: https://github.com/GetBlimp/django-rest-framework-jwt

Deleted. Please delete.

When I try to use url(r'^auth/', include('djoser.urls.authtoken')),, I get the error ImportError: No module named authtoken. This is with djoser 0.3.1, djangorestframework 3.1.3 and Django 1.8.3.

The readme says, "In other words, users have been granted access to a specific resource for a fixed time period." Where is token expiration implemented?

String formatting issue in regexp for url named set_username. Python 2.6 does not support this syntax.

AssertionError at /auth/logout
'LogoutView' should either include a 'serializer_class' attribute, or use the 'model' attribute as a shortcut for automatically generating a serializer class.

i think this is due to a change in DRF. Here are my versions:

Django==1.6.8
djoser==0.1.0
djangorestframework==2.4.4

Pull request with a fix incoming...

User.is_active is being set to True in the registration view. While a token is not necessarily being granted, the user is still activated. When ActivationView is hit, is_active is being set to True, when it's already True.

Perhaps is_active should be set to True if LOGIN_AFTER_REGISTRATION is True only.

I get an unauthorized error when clicking the email activation link in the sent email. Do you know if this should work out-of-the-box?

Could you upload the 0.2.1 release to pypi?

To be precise the issue is caused by function called create_username_field(). It creates the serializer field but it doesn't add the validators to this field instance. It just doesn't take into account the parameters passed to username model field.

Can we have something like: /activate?uid={uid}&token={token}

while running

python manage.py migrate rest_framework.authtoken

getting the following error.
UnknownMigration: Migration 'authtoken:0001_initial' probably doesn't exist.

If we remove csrfmiddlewaretoken form init_data then only registration succeeded.
del self.init_data['csrfmiddlewaretoken']

Added statement del self.init_data['csrfmiddlewaretoken'] in save method

class UserRegistrationSerializer(serializers.ModelSerializer):

    class Meta:
        model = User
        fields = tuple(User.REQUIRED_FIELDS) + (
            User.USERNAME_FIELD,
            'password',
        )
        write_only_fields = (
            'password',
        )

    def save(self, **kwargs):
        self.object = User.objects.create_user(**dict(self.init_data.items()))
        return self.object

Hey there, awesome package. Really makes a lot of sense.

I'm currently tackling an issue, in which I am just trying to access the basic /auth/login endpoint.

I have a custom user model, which I have created with the help of the django-authtools package. My username is on an email field, which has unique set to True.

When I try to POST to /login/, I get a 400 error saying that the email field must be unique. I assume this is because it is trying to POST on a unique field... can that be a PUT, or is there another way to go about solving this issue?

Happy to provide code samples if needed, and I'll keep tinkering around and see if I can come up with a solution.

Thanks again!

This involves multiple packages, and I'm not sure where the issue lies. I'll start here. :-)

Using...

• djoser from the git repository's master branch
• django-rest-swagger 0.2.9
• and the dist directory from swagger-ui's master branch..

I find that the "username" parameter for the /login endpoint isn't displayed in the swagger-ui documentation. "Password" is there, but username is not:

In djoser.serializers.UserLoginSerializer.Meta.fields, "username" is not listed as a field. The username is manually picked off through User.USERNAME_FIELD, but Django Rest Swagger can't find that reference and so isn't aware of the username parameter.

post_save method doesn't exist anymore. Also, 'required' attribute is deprecated.

All changes in version 3:
http://www.django-rest-framework.org/topics/3.0-announcement/

I'm trying to limit login attempts, and temporary ban by ip users who exceed that limit. I've been investigating django-axes, but it's implemented in a way that makes hard to use it in a webservice.

Someone had success using it with djoser, or know an alternative solution?

Any time I hit the logout endpoint I get this error. If I refresh a couple of times the errors goes away I I'm able to logout.

'LogoutView' should either include a `serializer_class` attribute, or override the `get_serializer_class()` method.

django = 1.7.4
djoser = 0.2.0
django rest framework = 3.0.3

I think we have a typo here --- ActivationView is misplaced by PasswordResetConfirmView.

url(r'^activate$', views.PasswordResetConfirmView.as_view(), name='activate'),

https://github.com/sunscrapers/djoser/blob/master/djoser/urls.py#L13

Another question is that why we need to use POST method for activation? The activation link is sent via email, and user's click supposes to activate the related account. Such click would generate a GET request, I suppose.

I get this error when I try to log out:

AssertionError at /auth/logout
'LogoutView' should either include a serializer_class attribute, or override the get_serializer_class() method.

It would be awesome to have simple frontend demo app. I'm thinking about something really simple with VanillaJS. In the future we could also create AngulaJS library.

Hi!
I use custom user model(inherited from AbstractUser) and I have few errors
http://127.0.0.1:8000/auth/logout

'LogoutView' should either include a 'serializer_class' attribute, or use the 'model' attribute as a shortcut for automatically generating a serializer class.

http://127.0.0.1:8000/auth/login

can only concatenate tuple (not "list") to tuple

screenshot http://i.imgur.com/vJ5w9KT.png

Django==1.8
djangorestframework==2.4.5
djoser==0.2.1

Do you know of any djoser forks with Python 2.6 support?

I tried searching in Github, and on the web, but came up empty. If there aren't any, I may fork it to add 2.6 support.

Thanks!

See also #42.

I'm hesitant to call this an issue -- more of a curiosity. Was there a reason that you chose not to implement the handling of authentication for the /login endpoint via the BasicAuthentication class in DRF?

It would be nice if every time a user logs in a new token was generated and sent. In this way a user could log in and out on his phone without getting logged out from his computer. But because of this a new method would be necessary, that would be being able to log out from all devices (making all tokens invalid)

We've got 100's of tenants running out of a single settings.py file. Having settings.DOMAIN provided in settings.py is pretty limiting. Suggestion would be to pull the domain from the request. There may be a better way though.

Here is the change I made to utils.py

    def get_email_context(self, user):
        token = self.token_generator.make_token(user)
        uid = encode_uid(user.pk)
        # Pull domain from request
        try:
            domain = self.request.get_host()
        except:
            domain = settings.get('DOMAIN')
        return {
            'user': user,
            'domain': domain, # Use domain from request or if not provided fall back to settings.
            'site_name': settings.get('SITE_NAME'),
            'uid': uid,
            'token': token,
            'protocol': 'https' if self.request.is_secure() else 'http',
        }

Is anybody else experiencing this or is my Django just wanky?

My Django server output shows an options and a post request.

[14/Apr/2015 22:27:00] "OPTIONS /auth/password/reset HTTP/1.1" 200 334
[14/Apr/2015 22:27:05] "POST /auth/password/reset HTTP/1.1" 200 0

There are probably two things to do:

• add integration tests to testproject to check if the Swagger doc is generated without any issues
• fix the issue with dynamically added fields to serializers - see #41

doesn't work is_authenticated() with 'rest_framework.authentication.TokenAuthentication' installed.
how to fix it?

Reasons:

1. those settings increase code complexity too much,
2. you could just make login request after registration/activation.

Refs: discussion in #56 PR.

Django REST framework 3.1.0

Traceback (most recent call last):
  File "/home/pokidovea/.virtualenvs/myapp/local/lib/python2.7/site-packages/django/core/handlers/base.py", line 132, in get_response
    response = wrapped_callback(request, *callback_args, **callback_kwargs)
  File "/home/pokidovea/.virtualenvs/myapp/local/lib/python2.7/site-packages/django/views/decorators/csrf.py", line 58, in wrapped_view
    return view_func(*args, **kwargs)
  File "/home/pokidovea/.virtualenvs/myapp/local/lib/python2.7/site-packages/django/views/generic/base.py", line 71, in view
    return self.dispatch(request, *args, **kwargs)
  File "/home/pokidovea/.virtualenvs/myapp/local/lib/python2.7/site-packages/rest_framework/views.py", line 452, in dispatch
    response = self.handle_exception(exc)
  File "/home/pokidovea/.virtualenvs/myapp/local/lib/python2.7/site-packages/rest_framework/views.py", line 449, in dispatch
    response = handler(request, *args, **kwargs)
  File "build/bdist.linux-x86_64/egg/djoser/utils.py", line 42, in post
    serializer = self.get_serializer(data=request.DATA)
  File "/home/pokidovea/.virtualenvs/myapp/local/lib/python2.7/site-packages/rest_framework/generics.py", line 109, in get_serializer
    return serializer_class(*args, **kwargs)
  File "build/bdist.linux-x86_64/egg/djoser/serializers.py", line 94, in __init__
    self.fields[User.USERNAME_FIELD] = create_username_field()
  File "build/bdist.linux-x86_64/egg/djoser/serializers.py", line 16, in create_username_field
    mapping_dict = serializers.ModelSerializer._field_mapping.mapping
AttributeError: type object 'ModelSerializer' has no attribute '_field_mapping'