feat(api): require CAPTCHA for password request reset

api/desecapi/serializers.py

@@ -557,6 +557,10 @@ class ChangeEmailSerializer(serializers.Serializer):
         return value
 
 
+class ResetPasswordSerializer(EmailSerializer):
+    captcha = CaptchaSolutionSerializer(required=True)
+
+
 class CustomFieldNameUniqueValidator(UniqueValidator):
     """
     Does exactly what rest_framework's UniqueValidator does, however allows to further customize the

api/desecapi/tests/test_user_management.py

@@ -50,9 +50,10 @@ class UserManagementClient(APIClient):
     def logout(self, token):
         return self.post(reverse('v1:logout'), HTTP_AUTHORIZATION=f'Token {token}')
 
-    def reset_password(self, email):
+    def reset_password(self, email, captcha_id, captcha_solution):
         return self.post(reverse('v1:account-reset-password'), {
             'email': email,
+            'captcha': {'id': captcha_id, 'solution': captcha_solution},
         })
 
     def change_email(self, email, password, **payload):
@@ -105,7 +106,8 @@ class UserManagementTestCase(DesecTestCase, PublicSuffixMockMixin):
         return self.client.logout(token)
 
     def reset_password(self, email):
-        return self.client.reset_password(email)
+        captcha_id, captcha_solution = self.get_captcha()
+        return self.client.reset_password(email, captcha_id, captcha_solution)
 
     def change_email(self, new_email):
         return self.client.change_email(self.email, self.password, new_email=new_email)

api/desecapi/views.py

@@ -485,7 +485,7 @@ class AccountChangeEmailView(generics.GenericAPIView):
 
 
 class AccountResetPasswordView(generics.GenericAPIView):
-    serializer_class = serializers.EmailSerializer
+    serializer_class = serializers.ResetPasswordSerializer
 
     def post(self, request, *args, **kwargs):
         serializer = self.get_serializer(data=request.data)