Django allauth not sending links with https
I want Django Allauth to send links like confirmation email or password reset from https
:
Something like that:
https://example.com/ca/accounts/confirm-email/picuwfpjpptjswi50x5zb4gtsqptmwkscea445kadnbsfwcyij3fdnblery4onuq/
According to the official documentation, only changing the following setting in settings.py
should work:
ACCOUNT_DEFAULT_HTTP_PROTOCOL = "https"
But I keep getting links with http
instead https
like this:
http://example.com/ca/accounts/confirm-email/picuwfpjpptjswi50x5zb4gtsqptmwkscea445kadnbsfwcyij3fdnblery4onuq/
Am I missing something? Thank!
source to share
Digging into the code a bit, you can see what allauth
sets the template context variable activate_url
using Django's method in build_absolute_uri
:
https://github.com/pennersr/django-allauth/blob/master/allauth/account/models.py#L119
...
activate_url = reverse("account_confirm_email", args=[self.key])
activate_url = request.build_absolute_uri(activate_url)
ctx = {
"activate_url": activate_url,
...
}
Looking at the code for build_absolute_uri
, you can see that it requires an environment variable:
https://github.com/django/django/blob/master/django/http/request.py#L153
def _get_scheme(self):
return 'https' if os.environ.get("HTTPS") == "on" else 'http'
in order to return https://
in urls generated by this function you need to set an environment variable HTTPS
.
It depends on how you set up your project, but set the environment variable to settings.py
ormanage.py
Below is a good article on general Django security when it comes to SSL:
EDIT
Strangely, the reset template takes a different approach to URL construction:
https://github.com/pennersr/django-allauth/blob/master/allauth/account/forms.py#L428
url = '%s://%s%s' % (app_settings.DEFAULT_HTTP_PROTOCOL,
current_site.domain,
path)
context = {"site": current_site,
"user": user,
"password_reset_url": url}
using settings DEFAULT_HTTP_PROTOCOL
instead
source to share