Django allauth not sending links with https
Digging into the code a little bit, you can see that allauth
sets the activate_url
template context variable using Django's build in build_absolute_uri
method:
https://github.com/pennersr/django-allauth/blob/master/allauth/account/models.py#L119
...
activate_url = reverse("account_confirm_email", args=[self.key])
activate_url = request.build_absolute_uri(activate_url)
ctx = {
"activate_url": activate_url,
...
}
Looking at the code for the build_absolute_uri
you can see it requires a environment variable:
https://github.com/django/django/blob/master/django/http/request.py#L153
def _get_scheme(self):
return 'https' if os.environ.get("HTTPS") == "on" else 'http'
to return https://
in URLs generated by this function, you need to set a HTTPS
environment variable.
It depends on how you have set up your project, but you can set the environment variable in your settings.py
or manage.py
The following is a good post on general Django security when it comes to SSL:
- https://security.stackexchange.com/questions/8964/trying-to-make-a-django-based-site-use-https-only-not-sure-if-its-secure
EDIT
Strangely, the reset password template uses a different approach to constructing the URL:
https://github.com/pennersr/django-allauth/blob/master/allauth/account/forms.py#L428
url = '%s://%s%s' % (app_settings.DEFAULT_HTTP_PROTOCOL,
current_site.domain,
path)
context = {"site": current_site,
"user": user,
"password_reset_url": url}
using the DEFAULT_HTTP_PROTOCOL
settings instead