> For the complete documentation index, see [llms.txt](https://apidocs.akinon.com/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://apidocs.akinon.com/commerce/users/password-and-otp-operations.md). # Password & OTP Operations ### `POST` Set New Password This endpoint enables authenticated users to set a password for the first time if they are new users or if their account currently lacks a usable password. **Path:** `/users/password/set/` **Authentication Required:** Yes **Headers:** ``` Content-Type: application/json Accept-Language: x-csrftoken: Cookie: = ``` **Body Parameters** | Property | Data Type | Required | Description | | -------------- | --------- | -------- | --------------------------------------------------------------------------------------------------------------------------- | | new\_password1 | String | True | The new password the user wants to set, which must comply with the [password validation rules](#password-validation-rules). | | new\_password2 | String | True | Confirmation of the new password, which must match `new_password1`. | **Request Body** ```json { "new_password1": "MyNewSecurePassword123!", "new_password2": "MyNewSecurePassword123!" } ``` **Example Request** ```py import requests import json url = "https://{commerce_url}/users/password/set/" headers = { 'Content-Type': 'application/json', 'X-CSRFToken': '', 'Cookie': '=' } payload = json.dumps({ "new_password1": "MyNewSecurePassword123!", "new_password2": "MyNewSecurePassword123!" }) response = requests.post(url, headers=headers, data=payload) print(response.text) ``` **Example Response (200 OK)** ```json { "success": "Your password has been set successfully." } ``` **Example Response (302 Redirect)** If the user already has a usable password, they are redirected to the change password page to update their existing password: ```json { "redirect_url": "/account/change-password/" } ``` If the user is anonymous, they are redirected to the specified home page: ```json { "redirect_url": "/home/" } ``` **Example Response (400 Bad Request)** ```json { "new_password2": ["The two password fields didn’t match."] } ``` ### `POST` Change Password This endpoint is used to change the user's password. Once the password change is successful, a confirmation email will be sent to the user’s registered email address. The user must be authenticated to access this endpoint. **Path:** `/users/password/change/` **Authentication Required:** Yes **Headers:** ``` Content-Type: `application/json` Accept-Language: Cookie: = x-csrftoken: ``` **Body Parameters** | Property | Data Type | Required | Description | | -------------- | --------- | -------- | ------------------------------------------------------------------------------------------------------------------------------------------ | | old\_password | string | True | The user’s current password. | | new\_password1 | string | True | The new password that the user wants to set. It should meet the password policy criteria (e.g., minimum length, special characters, etc.). | | new\_password2 | string | True | A confirmation of the new password. This field must match `new_password1` to ensure the user has entered the correct password. | **Request Body** ```json { "old_password": "old_pass", "new_password1": "new_pass", "new_password2": "new_pass" } ``` **Example Request** ```py import requests import json url = "https://{commerce_url}/users/password/change/" payload = json.dumps({ "old_password": "oldpass", "new_password1": "newpass", "new_password2": "newpass" }) headers = { 'Content-Type': 'application/json', 'Accept-Language: '', 'Cookie': '=', 'x-csrftoken': '' } response = requests.post(url, headers=headers, data=payload) print(response.text) ``` **Example Response (200 OK)** If the request is successfully processed and the password is updated, the response will contain a success message confirming that the password has been changed. ```json { "success": "New password has been saved." } ``` **Example Response (400 Bad Request)** When the `old_password` provided is incorrect: ```json { "old_password": [ "Invalid password." ] } ``` When the `new_password1` and `new_password2` fields do not match: ```json { "new_password2": [ "The two password fields didn't match." ] } ``` ### `POST` Initiate Password Reset This endpoint is used to initiate a password reset process by sending a password reset email to the user. If the email provided in the request body is registered in the system, the user will receive an email with instructions on how to reset their password. **Path:** `/users/password/reset/` **Authentication Required:** No **Headers:** ``` Content-Type: application/json Accept-Language: x-csrftoken: ``` **Body Parameters** | Property | Data Type | Required | Description | | -------- | --------- | -------- | --------------------------------------------------------------------------------------------------- | | email | string | True | The email address associated with the user account for which the password reset is being requested. | **Request Body** ```json { "email": "" } ``` **Example Request** ```py import requests import json url = "https://{commerce_url}/users/password/reset/" payload = json.dumps({ "email": "" }) headers = { 'Content-Type': 'application/json', 'Accept-Language: '', 'x-csrftoken': '' } response = requests.post(url, headers=headers, data=payload) print(response.text) ``` **Example Response (200 OK)** If the email address provided is valid and associated with an account, the response body will contain a success message. ```json { "success": "Password reset e-mail has been sent. } ``` **Example Response (400 Bad Request)** When the provided email address is invalid or not formatted correctly: ```json { "email": [ "Enter a valid email address." ] } ``` ### `GET` Validate Password Reset URL This endpoint verifies if a given password reset URL is valid. The URL is typically generated when a user requests a password reset and is included in an email sent to the user. The validity of the link ensures that the reset process is secure and can only be accessed within a specific timeframe or if the token is unaltered. The parameters in the path `` and `` are generated and sent by the Commerce system. **Path:** `/users/api-reset///` **Authentication Required:** No **Headers:** ``` Accept-Language: ``` **Example Request** ```py import requests headers = { 'Accept-Language': '' } url = "https://{commerce_url}/users/api-reset///" response = requests.get(url) print(response.json()) ``` **Example Response (200 OK)** ```json { "validlink": true } ``` **Response Parameters** | Property | Data Type | Description | | --------- | --------- | ---------------------------------------------------------------------------------------------------------------------------------------------------- | | validlink | Boolean | Indicates whether the password reset URL is valid. A value of `true` means the URL is valid, while `false` indicates the link is expired or invalid. | ### `POST` Complete Password Reset with JSON Response This endpoint allows users to reset their password by providing a new password and its confirmation. It uses the unique `uidb64` and `token` parameters from the password reset email to identify the user and ensure the request's validity. This API ensures that both passwords match and comply with the application's password rules before the change is finalized. **Path:** `/users/api-reset///` **Authentication Required:** No **Headers:** ``` Content-Type: application/json Accept-Language: x-csrftoken: ``` **Body Parameters** | Property | Data Type | Required | Description | | -------------- | --------- | -------- | ------------------------------------------------------------------------------------------------------------------- | | new\_password1 | string | True | The new password that the user wants to set. It must adhere to password policy rules, such as length or complexity. | | new\_password2 | string | True | The confirmation of the new password. Both `new_password1` and `new_password2` must match. | **Request Body** ```json { "new_password1": "StrongP@ssw0rd", "new_password2": "StrongP@ssw0rd" } ``` **Example Request** ```py import requests url = "https://{commerce_url}/users/api-reset///" payload = 'new_password1=StrongP%40ssw0rd&new_password2=StrongP%40ssw0rd' headers = { 'x-requested-with': 'XMLHttpRequest', 'Accept-Language': '', 'x-csrftoken': '', 'Content-Type': 'application/x-www-form-urlencoded' } response = requests.request("POST", url, headers=headers, data=payload) print(response.text) ``` **Example Response (200 OK)** Indicates that the password has been successfully reset. ```json {} ``` **Example Response (400 Bad Request)** Indicates issues with the input, such as mismatched passwords. ```javascript { "errors": { "new_password2": [ "İki parola alanı uyuşmadı." ] }, "validlink": true } ``` ### `POST` Complete Password Reset with HTML Response This endpoint allows users to set a new password after receiving a password reset email. The user must provide a new password and confirm it by entering it again. The parameters in the path `` and `` are generated and sent by the Commerce system. **Path:** `/users/reset///` **Authentication Required:** Yes **Headers:** ``` Content-Type: application/json Accept-Language: Cookie: = x-csrftoken: ``` **Body Parameters** | Property | Data Type | Required | Description | | -------------- | --------- | -------- | ------------------------------------------------------------------------------------------------------ | | new\_password1 | string | True | The new password for the user. It should meet the password policy criteria (e.g., length, complexity). | | new\_password2 | string | True | A confirmation of the new password. It must match new\_password1 for the change to be applied. | **Request Body** ```json { "new_password1": "", "new_password2": "" } ``` **Example Request** ```py import requests import json url = "https://{commerce_url}/users/reset///" payload = json.dumps({ "new_password1": "newpass", "new_password2": "newpass" }) headers = { 'Content-Type': 'application/json' } response = requests.post(url, headers=headers, data=payload) print(response.text) ``` **Example Response (200 OK)** No content is returned when the request is successful. ### `POST` Confirm Password Reset This endpoint enables users to confirm a password reset by submitting a valid token and UID. Upon successful confirmation, the user's password will be updated. **Path:** `/users/password/reset/confirm/` **Authentication Required:** No **Headers:** ``` Content-Type: application/json Accept-Language: x-csrftoken: ``` **Body Parameters** | Property | Data Type | Required | Description | | -------------- | --------- | -------- | --------------------------------------------------------------------------------------------------------------------------- | | uid | String | True | The user ID, encoded in Base64, used as part of the password reset confirmation process. | | token | String | True | The unique token sent to the user's email for confirming password reset. | | new\_password1 | String | True | The new password the user wants to set, which must comply with the [password validation rules](#password-validation-rules). | | new\_password2 | String | True | Confirmation of the new password, which must match `new_password1`. | **Request Body** ```json { "uid": "MjM1", "token": "6w7-125c153fa562fcd3887e", "new_password1": "NewPassword123!", "new_password2": "NewPassword123!" } ``` **Example Request** ```py import requests import json url = "https://{commerce_url}/users/password/reset/confirm/" headers = { 'Content-Type': 'application/json', 'Accept-Language': '' } payload = json.dumps({ "uid": "MjM1", "token": "6w7-125c153fa562fcd3887e", "new_password1": "NewPassword123!", "new_password2": "NewPassword123!" }) response = requests.post(url, headers=headers, data=payload) print(response.text) ``` **Example Response (200 OK)** ```json { "success": "Password has been reset with the new password." } ``` **Example Response (400 Bad Request)** If the passwords do not match: ```json { "new_password2": [ "The two password fields didn't match." ] } ``` If the token is invalid or expired: ```json { "token": [ "Invalid value" ] } ``` If the UID is invalid: ```json { "uid": [ "Invalid value" ] } ``` If the password does not match the validation rules: ```json { "new_password1": ["This password is too short. It must contain at least 8 characters."] } ``` ### `GET` Password Reset Confirmation Page This endpoint serves an HTML page informing users that their password reset process has been successfully completed. The page includes a link to the login page, where users can log in using their new password. The login URL can be configured by using the `LOGIN_URL` Django project setting. By default, the login URL is `/login/`. **Path:** `/users/reset/done/` **Authentication Required:** No **Headers:** ``` Content-Type: application/json Accept-Language: ``` **Example Request** ```py import requests import json url = "https://{commerce_url}/users/reset/done/" headers = { 'Content-Type': 'application/json', 'Accept-Language': '' } response = requests.get(url, headers=headers) print(response.text) ``` **Example Response (200 OK)** HTML file is returned for informing the user of a successful password reset and provides a link to the login page. ### `POST` Password Reset Request with Phone Number This endpoint enables users to request a password reset by providing their registered phone number. If the phone number matches an active user account, a password reset SMS will be sent. **Path:** `/users/password/reset-with-phone/` **Authentication Required:** No **Headers:** ``` Content-Type: application/json Accept-Language: x-csrftoken: ``` **Body Parameters** | Property | Data Type | Required | Description | | -------- | --------- | -------- | -------------------------------------------------- | | phone | String | True | The phone number associated with the user account. | **Request Body** ```json { "phone": "1234567890" } ``` **Example Request** ```py import requests import json url = "https://{commerce_url}/users/password/reset-with-phone/" headers = { 'Content-Type': 'application/json', 'Accept-Language: '', 'x-csrftoken': '' } payload = json.dumps({ "phone": "1234567890" }) response = requests.post(url, headers=headers, data=payload) print(response.text) ``` **Example Response (200 OK)** ```json { "success": "If the phone number you specified is registered, a password reset sms has been sent." } ``` ### `POST` Set Password with OTP This endpoint enables authenticated users to set or reset their password through SMS OTP verification. The process involves validating the user's phone number, with the option to resend the OTP if necessary. Additionally, for the system to send SMS OTP, the `SMS_GATEWAY` and `SMS_GATEWAYS` dynamic settings must be properly configured. Ensure the correct SMS gateway provider is set up in the application settings, and verify that the gateway is operational. **Path:** `/users/password-sms-otp/set/` **Authentication Required:** Yes **Headers:** ``` Content-Type: application/json Accept-Language: x-csrftoken: Cookie: = ``` **Body Parameters** | Property | Data Type | Required | Description | | --------- | --------- | -------- | ------------------------------------------------------------------------------------------ | | password1 | String | True | The new password for the user. | | password2 | String | True | Confirmation of the new password, which must match `password1.` | | phone | String | True | The user's phone number, which must be unique and validated using a regex pattern. | | code | String | False | The SMS verification code used for confirming the phone number. | | resend | Boolean | False | A flag indicating whether the SMS verification code should be resent. Defaults to `false`. | {% hint style="warning" %} Sending only the **phone number** in the request body triggers the system to send an OTP code.\ Providing both the **phone number** and **OTP code** in the request body initiates OTP verification. {% endhint %} **Request Body** ```json { "password1": "SecurePassword123", "password2": "SecurePassword123", "phone": "+1234567890", "code": "123456" } ``` **Example Request** ```py import requests import json url = "https://{commerce_url}/users/password-sms-otp/set/" headers = { 'Content-Type': 'application/json', 'Accept-Language': '', 'x-csrftoken': '' } payload = json.dumps({ "password1": "SecurePassword123", "password2": "SecurePassword123", "phone": "+1234567890", "code": "123456" }) response = requests.post(url, headers=headers, data=payload) print(response.text) ``` **Example Response (200 OK)** ```json { "messsage": "New password has been saved." } ``` **Example Response (202 Accepted)** ```json { "password1": "SecurePassword123", "password2": "SecurePassword123", "phone": "+1234567890", "code": "123456" } ``` **Example Response (406 Not Acceptable)** ```json { "non_field_errors": "Sms otp code expired. Please resend code.", "error_code": "sms_verification_100_4" } ``` ```json { "non_field_errors": "Phone numbers do not match.", "error_code": "sms_verification_100_1" } ``` ```json { "non_field_errors": "Verification codes do not match.", "error_code": "sms_verification_100_2" } ``` ### `POST` User OTP Login This endpoint allows users to log in using an OTP (One-Time Password) sent to their registered phone number. The user must provide their phone number, and optionally the OTP code to verify the login. For OTP login to function, `PhoneNumberAuthenticationBackend` must be included in the `AUTHENTICATION_BACKENDS` environment variable. Additionally, for the system to send SMS OTP, the `SMS_GATEWAY` and `SMS_GATEWAYS` dynamic settings must be properly configured. Ensure the correct SMS gateway provider is set up in the application settings, and verify that the gateway is operational. **Path:** `/users/otp-login` **Authentication Required:** True **Headers:** ``` Content-Type: application/json Accept-Language: x-csrftoken: ``` **Body Parameters** | Property | Data Type | Required | Description | | -------- | --------- | -------- | ------------------------------------------------------------------------ | | phone | String | True | The phone number registered in the system to which the OTP will be sent. | | code | String | False | The OTP code sent to the user's phone. If provided, it will be verified. | | resend | Boolean | False | If `true`, a new OTP code will be sent to the user's phone. | {% hint style="warning" %} Sending only the **phone number** in the request body will trigger the OTP code to be sent.\ If both the **phone number** and **OTP code** are provided, the code will be verified, and the user will be logged in upon successful verification. {% endhint %} **Request Body** ```json { "phone": "5300000000", "code": "12345" } ``` **Example Request** ```py import requests import json url = "https://{commerce_url}/users/otp-login/" headers = { 'Content-Type': 'application/json', 'Accept-Language: '', 'x-csrftoken': '' } payload = json.dumps({ "phone": "5300000000", "code": "12345" }) response = requests.post(url, headers=headers, data=payload) print(response.text) ``` **Example Response (302 Found)** ```json {} ``` **Example Response (400 Bad Request)** ```json { "phone": [ "This field is required." ] } ``` ### `POST` User Passwordless Login with Token This endpoint allows users to log in without a password by using a valid Django REST Framework authentication token. The token must be associated with an active user. Upon successful login, a session is created for the user, allowing them to remain logged in until they log out or the session expires. **Path:** `/users/passwordless-login-with-token/` **Authentication Required:** No **Headers:** ``` Content-Type: application/json Accept-Language: ``` **Body Parameters** | Property | Data Type | Required | Description | | -------- | --------- | -------- | ------------------------------------------------------------------------------------------------------- | | user | Integer | True | The ID of the user attempting to log in. | | token | String | True | The Django REST Framework authentication token, which must be valid and associated with an active user. | **Request Body** ```json { "user": 123, "token": "abc123token" } ``` **Example Request** ```py import requests import json url = "https://{commerce_url}/users//users/passwordless-login-with-token/" headers = { 'Content-Type': 'application/json', 'Accept-Language': '', } payload = json.dumps({ "user": 123, "token": "abc123token" }) response = requests.post(url, headers=headers, data=payload) print(response.text) ``` **Example Response (200 OK)** ```json {} ``` **Example Response (400 Bad Request)** If the token is invalid or the user ID does not exist: ```json {} ``` ### `GET` User Passwordless Login with One-Time Token This endpoint allows users to log in without a password by clicking a link containing a one-time token generated by the Commerce OneTimeTokenGenerator. After the token is verified, the user is redirected to a specified URL or a default destination. **Path:** `/users/passwordless-login//` **Authentication Required:** No **Headers:** ``` Content-Type: application/json Accept-Language: ``` **Query Parameters** | Property | Data Type | Required | Description | | ----------- | --------- | -------- | -------------------------------------------------------------------------------------------- | | user | Integer | True | The ID of the user attempting to log in. | | secret\_key | String | True | The secret key used to validate the one-time token. | | next | String | False | The URL to redirect to after successful login, defaulting to the home page if not specified. | **Example Request** ```py import requests import json url = "https://{commerce_url}/users/passwordless-login/15jz-595a80xxxxa15a7b9f/?user=41xx79&secret_key=testsecretkey&next=/dashboard" headers = { 'Content-Type': 'application/json', 'Accept-Language': '', } response = requests.post(url, headers=headers, data=payload) print(response.text) ``` **Example Response (302 Redirect)** If the login is successful, the user is redirected to the specified next URL or the default home page. ```json {} ``` ## Password Validation Rules Akinon Commerce uses the dynamic setting `AUTH_PASSWORD_VALIDATORS` to enforce password policies.
By default, this configuration includes a minimum length validation (4 characters). If the provided password fails validation, Commerce returns a `400` response with the relevant error message. Below is the list of supported validators and their configuration options: ### **Maximum Length** Validates that the password does not exceed a specified maximum length. * **Example Options:** ```json {"max_length": 10} ``` * **Error Message:**\ `Password can contain maximum {max_length} characters.` *** ### **Minimum Capital Letter** Ensures the password contains at least a specified number of uppercase letters. * **Example Options:** ```json {"min_occurances": 1} ``` * **Error Message:**\ `Your password must contain at least {min_occurances} capital letters.` *** ### **Minimum Lowercase Letter** Ensures the password contains at least a specified number of lowercase letters. * **Example Options:** ```json {"min_occurances": 1} ``` * **Error Message:**\ `Your password must contain at least {min_occurances} lowercase letters.` *** ### **Minimum Letter** Ensures the password contains at least a specified number of letters (uppercase or lowercase). * **Example Options:** ```json {"min_occurances": 1} ``` * **Error Message:**\ `Your password must contain at least {min_occurances} letters.` *** ### **Minimum Number** Ensures the password contains at least a specified number of digits. * **Example Options:** ```json {"min_occurances": 1} ``` * **Error Message:**\ `Your password must contain at least {min_occurances} numbers.` *** ### **Minimum Special Character** Ensures the password contains at least a specified number of special characters. * **Example Options:** ```json {"min_occurances": 1} ``` * **Error Message:**\ `Your password must contain at least {min_occurances} special characters.` *** ### **Previously Used Password** Compares the new password with previously used passwords within a specific time frame. * **Example Options:** ```json {"old_password_count": 3, "expiration_day_count": 90} ``` * **Error Message:**\ `Your new password must be different from your previous {old_password_count} passwords.` *** ### **Old Password Count** Compares the new password with the last N previously used passwords. * **Example Options:** ```json {"old_password_count": 3} ``` * **Error Message:**\ `Your new password must be different from your last {old_password_count} passwords.` *** ### **User Attribute Similarity** Validates that the password is not too similar to specific user attributes (e.g., username, email). Attributes with empty values are ignored. * **Default Configuration:** ```json { "user_attributes": ["username", "first_name", "last_name", "email"], "max_similarity": 0.7 } ``` * **Acceptable `max_similarity` Range:** `0.1` (strict) to `1.0` (only blocks exact matches) * **Example Options:** ```json {"user_attributes": ["phone"], "max_similarity": 1} ``` * **Error Message:**\ `The password is too similar to the {attribute_name}.` *** ### **Minimum Length** Ensures the password meets the specified minimum length requirement. * **Example Options:** ```json {"min_length": 4} ``` * **Error Message:**\ `This password is too short. It must contain at least {min_length} characters.` *** ### **Common Password** Prevents the use of passwords from the common passwords list ([Source List](https://gist.github.com/roycewilliams/226886fd01572964e1431ac8afc999ce)). * **Options:** Empty * **Error Message:**\ `This password is too common.` *** ### **Numeric Password** Blocks passwords that are composed only of digits. * **Options:** Empty * **Error Message:**\ `This password is entirely numeric.` --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter: ``` GET https://apidocs.akinon.com/commerce/users/password-and-otp-operations.md?ask=&goal= ``` `ask` is the immediate question: it should be specific, self-contained, and written in natural language. `goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.