Django allauth not sending links with https

Digging into the code a little bit, you can see that allauth sets the activate_url template context variable using Django's build in build_absolute_uri method:

https://github.com/pennersr/django-allauth/blob/master/allauth/account/models.py#L119

...
activate_url = reverse("account_confirm_email", args=[self.key])
activate_url = request.build_absolute_uri(activate_url)
ctx = {
"activate_url": activate_url,
...
}

Looking at the code for the build_absolute_uri you can see it requires a environment variable:

https://github.com/django/django/blob/master/django/http/request.py#L153

def _get_scheme(self):
    return 'https' if os.environ.get("HTTPS") == "on" else 'http'

to return https:// in URLs generated by this function, you need to set a HTTPS environment variable.

It depends on how you have set up your project, but you can set the environment variable in your settings.py or manage.py

The following is a good post on general Django security when it comes to SSL:

https://security.stackexchange.com/questions/8964/trying-to-make-a-django-based-site-use-https-only-not-sure-if-its-secure

EDIT

Strangely, the reset password template uses a different approach to constructing the URL:

https://github.com/pennersr/django-allauth/blob/master/allauth/account/forms.py#L428

url = '%s://%s%s' % (app_settings.DEFAULT_HTTP_PROTOCOL,
    current_site.domain,
    path)
context = {"site": current_site,
    "user": user,
    "password_reset_url": url}

using the DEFAULT_HTTP_PROTOCOL settings instead

Django allauth not sending links with https

Tags:

Https

Django

Django Allauth

Related

Recent Posts