Fix the reset_password_token_created signal to be fired even when no token have been created.

CHANGELOG.md

@@ -8,6 +8,9 @@ PyPi: [https://pypi.org/project/django-rest-passwordreset/](https://pypi.org/pro
 
 ## [Unreleased]
 
+### Fixed
+- Fix the reset_password_token_created signal to be fired even when no token have been created. (#188)
+
 ## [1.4.0]
 
 ### Added

django_rest_passwordreset/views.py

@@ -60,7 +60,7 @@ def clear_expired_tokens():
     clear_expired(now_minus_expiry_time)
 
 
-def generate_token_for_email(email, user_agent='', ip_address=''):
+def generate_token_for_email(email, user_agent='', ip_address='') -> ResetPasswordToken | None:
     # find a user by email address (case-insensitive search)
     users = User.objects.filter(**{'{}__iexact'.format(get_password_reset_lookup_field()): email})
 
@@ -75,12 +75,14 @@ def generate_token_for_email(email, user_agent='', ip_address=''):
             break
 
     # No active user found, raise a ValidationError
-    # but not if DJANGO_REST_PASSWORDRESET_NO_INFORMATION_LEAKAGE == True
-    if not active_user_found and not getattr(settings, 'DJANGO_REST_PASSWORDRESET_NO_INFORMATION_LEAKAGE', False):
-        raise exceptions.ValidationError({
-            'email': [_(
-                "We couldn't find an account associated with that email. Please try a different e-mail address.")],
-        })
+    # but not if DJANGO_REST_PASSWORDRESET_NO_INFORMATION_LEAKAGE == True, in that case we return None
+    if not active_user_found:
+        if not getattr(settings, 'DJANGO_REST_PASSWORDRESET_NO_INFORMATION_LEAKAGE', False):
+            raise exceptions.ValidationError({
+                'email': [_(
+                    "We couldn't find an account associated with that email. Please try a different e-mail address.")],
+            })
+        return None
 
     # last but not least: iterate over all users that are active and can change their password
     # and create a Reset Password Token and send a signal with the created token
@@ -199,9 +201,13 @@ def post(self, request, *args, **kwargs):
             ip_address=request.META.get(HTTP_IP_ADDRESS_HEADER, ''),
         )
 
-        # send a signal that the password token was created
-        # let whoever receives this signal handle sending the email for the password reset
-        reset_password_token_created.send(sender=self.__class__, instance=self, reset_password_token=token)
+        if token:
+            # send a signal that the password token was created
+            # let whoever receives this signal handle sending the email for the password reset
+            reset_password_token_created.send(
+                sender=self.__class__,
+                instance=self, reset_password_token=token
+            )
 
         return Response({'status': 'OK'})
 

tests/test/test_auth_test_case.py

@@ -360,13 +360,15 @@ def test_signals(self,
         self.assertEqual(mock_pre_password_reset.call_args[1]['reset_password_token'], token1)
 
     @override_settings(DJANGO_REST_PASSWORDRESET_NO_INFORMATION_LEAKAGE=True)
-    def test_try_reset_password_email_does_not_exist_no_leakage_enabled(self):
+    @patch('django_rest_passwordreset.signals.reset_password_token_created.send')
+    def test_try_reset_password_email_does_not_exist_no_leakage_enabled(self, mock_reset_signal):
         """
         Tests requesting a token for an email that does not exist when
         DJANGO_REST_PASSWORDRESET_NO_INFORMATION_LEAKAGE == True
         """
         response = self.rest_do_request_reset_token(email="[email protected]")
         self.assertEqual(response.status_code, status.HTTP_200_OK)
+        self.assertFalse(mock_reset_signal.called)
 
     def test_user_without_password(self):
         """ Tests requesting a token for an email without a password doesn't work"""