Improvements in Django's change\reset password flow

[Nicholas Fiorentini]

Hi there,

While working on the change password\reset password UI\UX for a SaaS implemented with Django, I noticed there is a lack of information being logged when someone is requesting a password reset, or changing its own password. Such logging could be really useful both to better assist the end user (ie, the help desk could check the proper execution of the reset flow) and to monitor abuses or malicious behaviour (as referred in https://www.owasp.org/index.php/Forgot_Password_Cheat_Sheet#Step_5.29_Logging).

Furthermore, I also added a final email confirmation when the password change ends with success, so the user is always notified on its own actions.

To implement such features I had to manually extend the default views and forms, notably I had to override the form's save method. This is not optimal, since I have to manually check for security issues in the original Django implementation, and manually update my code accordingly.   

It would really be a better solution if the default views and forms already provide a way to log those events, and allow to customise the messages (ie for integration with a log collector).

I'm open to more insight and suggestions on this topic.

Thanks.