from django.contrib.auth import views as auth_views
from django.urls import path
app_name = 'accounts'
urlpatterns = [
path('password-reset/',
auth_views.PasswordResetView.as_view(
template_name='accounts/password_reset.html',
email_template_name='accounts/password_reset_email.html',
subject_template_name='accounts/password_reset_subject.txt',
),
name='password_reset'),
path('password-reset/done/',
auth_views.PasswordResetDoneView.as_view(
template_name='accounts/password_reset_done.html'
),
name='password_reset_done'),
path('reset/<uidb64>/<token>/',
auth_views.PasswordResetConfirmView.as_view(
template_name='accounts/password_reset_confirm.html'
),
name='password_reset_confirm'),
path('reset/done/',
auth_views.PasswordResetCompleteView.as_view(
template_name='accounts/password_reset_complete.html'
),
name='password_reset_complete'),
]
# Password reset settings
PASSWORD_RESET_TIMEOUT = 3600 # 1 hour in seconds
# Email configuration
EMAIL_BACKEND = 'django.core.mail.backends.smtp.EmailBackend'
EMAIL_HOST = 'smtp.gmail.com'
EMAIL_PORT = 587
EMAIL_USE_TLS = True
EMAIL_HOST_USER = os.environ.get('EMAIL_USER')
EMAIL_HOST_PASSWORD = os.environ.get('EMAIL_PASSWORD')
DEFAULT_FROM_EMAIL = 'noreply@example.com'
Django provides built-in password reset views. I customize templates to match site design. The flow sends a secure token via email that expires after a timeout. I configure email backend and PASSWORD_RESET_TIMEOUT in settings. For better UX, I customize success messages and redirect URLs. The token is cryptographically signed and can't be forged. I test the flow in development with console email backend. For production, I ensure email deliverability with SPF/DKIM records. This standard pattern is secure and well-tested.
