Add password reset functionality.

app/auth/forms.py

@@ -35,6 +35,13 @@ class RegistrationForm(FlaskForm):
             raise ValidationError('Username already in use.')
 
 
+class PasswordResetForm(FlaskForm):
+    password = PasswordField('New Password', validators=[
+        DataRequired(), EqualTo('password2', message='Passwords must match')])
+    password2 = PasswordField('Confirm password', validators=[DataRequired()])
+    submit = SubmitField('Reset Password')
+
+
 class PasswordResetRequestForm(FlaskForm):
     email = StringField('Email', validators=[DataRequired(), Length(1, 64),
                                              Email()])

app/auth/views.py

@@ -2,7 +2,7 @@ from flask import flash, redirect, render_template, request, url_for
 from flask_login import current_user, login_required, login_user, logout_user
 from . import auth
 from .. import db
-from .forms import LoginForm, PasswordResetRequestForm, RegistrationForm
+from .forms import LoginForm, PasswordResetForm, PasswordResetRequestForm, RegistrationForm
 from ..email import send_email
 from ..models import User
 
@@ -64,6 +64,17 @@ def password_reset_request():
                            title='Password Reset')
 
 
-@auth.route('/reset/<token>')
+@auth.route('/reset/<token>', methods=['GET', 'POST'])
 def password_reset(token):
-    return 'test'
+    if not current_user.is_anonymous:
+        return redirect(url_for('main.index'))
+    form = PasswordResetForm()
+    if form.validate_on_submit():
+        if User.reset_password(token, form.password.data):
+            db.session.commit()
+            flash('Your password has been updated.')
+            return redirect(url_for('auth.login'))
+        else:
+            return redirect(url_for('main.index'))
+    return render_template('auth/reset_password.html.j2', form=form,
+                           title='Password Reset')

app/models.py

@@ -32,6 +32,20 @@ class User(UserMixin, db.Model):
         s = Serializer(current_app.config['SECRET_KEY'], expiration)
         return s.dumps({'reset': self.id}).decode('utf-8')
 
+    @staticmethod
+    def reset_password(token, new_password):
+        s = Serializer(current_app.config['SECRET_KEY'])
+        try:
+            data = s.loads(token.encode('utf-8'))
+        except:
+            return False
+        user = User.query.get(data.get('reset'))
+        if user is None:
+            return False
+        user.password = new_password
+        db.session.add(user)
+        return True
+
     @property
     def password(self):
         raise AttributeError('password is not a readable attribute')

app/templates/auth/reset_password.html.j2

@@ -7,10 +7,27 @@
       <span class="card-title">Reset Your Password</span>
       <form method="POST">
         {{ form.hidden_tag() }}
+        {% if form.email is defined %}
         <div class="input-field">
           {{ form.email(class='validate', type='email') }}
           {{ form.email.label }}
         </div>
+        {% endif %}
+        {% if form.password is defined %}
+        <div class="input-field">
+          {{ form.password(class='validate', type='password') }}
+          {{ form.password.label }}
+          {% for error in form.password.errors %}
+            <span class="helper-text" style="color:red;">{{ error }}</span>
+          {% endfor %}
+        </div>
+        {% endif %}
+        {% if form.password2 is defined %}
+        <div class="input-field">
+          {{ form.password2(class='validate', type='password') }}
+          {{ form.password2.label }}
+        </div>
+        {% endif %}
         <div class="card-action">
           {{ form.submit(class='btn right') }}
         </div>