13

I want Django Allauth to send links like the confirm e-mail or reset password with https:

Something like this:

https://example.com/ca/accounts/confirm-email/picuwfpjpptjswi50x5zb4gtsqptmwkscea445kadnbsfwcyij3fdnblery4onuq/

According to the official documentation only changing the following setting in settings.py it should work:

ACCOUNT_DEFAULT_HTTP_PROTOCOL = "https"

But I keep getting the links with http instead of https like this:

http://example.com/ca/accounts/confirm-email/picuwfpjpptjswi50x5zb4gtsqptmwkscea445kadnbsfwcyij3fdnblery4onuq/

Am I missing something? Thank you!

ferrangb
  • 2,012
  • 2
  • 20
  • 34

3 Answers3

17

Digging into the code a little bit, you can see that allauth sets the activate_url template context variable using Django's build in build_absolute_uri method:

https://github.com/pennersr/django-allauth/blob/master/allauth/account/models.py#L119

...
activate_url = reverse("account_confirm_email", args=[self.key])
activate_url = request.build_absolute_uri(activate_url)
ctx = {
"activate_url": activate_url,
...
}

Looking at the code for the build_absolute_uri you can see it requires a environment variable:

https://github.com/django/django/blob/master/django/http/request.py#L153

def _get_scheme(self):
    return 'https' if os.environ.get("HTTPS") == "on" else 'http'

to return https:// in URLs generated by this function, you need to set a HTTPS environment variable.

It depends on how you have set up your project, but you can set the environment variable in your settings.py or manage.py

The following is a good post on general Django security when it comes to SSL:

EDIT

Strangely, the reset password template uses a different approach to constructing the URL:

https://github.com/pennersr/django-allauth/blob/master/allauth/account/forms.py#L428

url = '%s://%s%s' % (app_settings.DEFAULT_HTTP_PROTOCOL,
    current_site.domain,
    path)
context = {"site": current_site,
    "user": user,
    "password_reset_url": url}

using the DEFAULT_HTTP_PROTOCOL settings instead

Community
  • 1
  • 1
Timmy O'Mahony
  • 53,000
  • 18
  • 155
  • 177
  • With your solution, now the Password Reset E-mail is with https, but the Confirm E-mail Address is still with http. Any idea why? – ferrangb Sep 13 '14 at 16:31
  • Look at the update. It seems that for the password reset template a different way of constructing the URL is used. Are you sure that the variable is being set correctly? – Timmy O'Mahony Sep 13 '14 at 16:44
  • The Confirm E-mail Address message is still not working. I tried first to set the variable in settings.py (import os os.environ['HTTPS'] = "on") and then manually in the terminal (HTTPS="on"; export HTTPS), but I still get the Confirm E-mail Address messages with http. – ferrangb Sep 13 '14 at 17:19
  • Thanks to your help I managed to solve the problem! I also reported the bug and it will be solved in the next django-allauth release: https://github.com/pennersr/django-allauth/issues/717 Thank you! :) – ferrangb Sep 16 '14 at 16:20
2

Besides setting the "HTTPS" environment variable and SECURE_PROXY_SSL_HEADER SECURE_SSL_REDIRECT, also seems that can be problem when rendering template and sending mail with EmailMultiAlternatives() when .txt body is used as is in adapter.py render_mail() [1]: https://github.com/pennersr/django-allauth/blob/master/allauth/account/adapter.py

for ext in ["html", "txt"]:
        try:
            template_name = "{0}_message.{1}".format(template_prefix, ext)
            bodies[ext] = render_to_string(
                template_name,
                context,
                self.request,
            ).strip()
        except TemplateDoesNotExist:
            if ext == "txt" and not bodies:
                # We need at least one body
                raise
    if "txt" in bodies:
        msg = EmailMultiAlternatives(subject, bodies["txt"], from_email, to)
        if "html" in bodies:
            msg.attach_alternative(bodies["html"], "text/html")
    else:
        msg = EmailMessage(subject, bodies["html"], from_email, to)
        msg.content_subtype = "html"  # Main content is now text/html
    return msg

For example print(bodies[ext]) gave:

  "To confirm this is correct, go to " https://127.0.0.1:8000/accounts/confirm-email/MjI:1kS0Mj:M5YfUf9-1Vg_TlgjVrK6vAtaLDE/ "

but on email is still http://

 http://url7514.sitename/ls/click?upn=HJL2SSWV...

With most devices also this worked since should be redirected still to https://, but on some didn't, so had to change in default templates/account/email/email_confirmation_message.txt to html extension, after result :

To confirm this is correct, go to https://sitename/accounts/confirm-email/M...

zoran
  • 21
  • 3
2

If you use django behind a proxy, you have to send https headers to django. What works for me in apache2 was to put this on apache2

<VirtualHost *:443>
  RequestHeader set X-Forwarded-Proto 'https' env=HTTPS

After adding headers mod:

a2enmod headers

And this on django setting.py:

USE_X_FORWARDED_HOST = True
SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https')

With this all my build_absolute_uri started with https, and the same for templates, this include password recovery and auth mails.

user3486626
  • 139
  • 1
  • 6