Hi there, While working on the change password\reset password UI\UX for a SaaS implemented with Django, I noticed there is a lack of information being logged when someone is requesting a password reset, or changing its own password. Such logging could be really useful both to better assist the end user (ie, the help desk could check the proper execution of the reset flow) and to monitor abuses or malicious behaviour (as referred in https://www.owasp.org/index.php/Forgot_Password_Cheat_Sheet#Step_5.29_Logging).
Furthermore, I also added a final email confirmation when the password change ends with success, so the user is always notified on its own actions. To implement such features I had to manually extend the default views and forms, notably I had to override the form's save method. This is not optimal, since I have to manually check for security issues in the original Django implementation, and manually update my code accordingly. It would really be a better solution if the default views and forms already provide a way to log those events, and allow to customise the messages (ie for integration with a log collector). I'm open to more insight and suggestions on this topic. Thanks. -- You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-developers+unsubscr...@googlegroups.com. To post to this group, send email to django-developers@googlegroups.com. Visit this group at https://groups.google.com/group/django-developers. To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/1185ad76-0dfe-4118-903a-616af9043522%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
