✨ Feat: [#101] 비밀번호 재설정 기능 구현 완료

users/views.py

@@ -40,6 +40,7 @@ from github import Github, GithubException
 
 CACHE_TIMEOUT = 60 * 60
 PAGE_SIZE = 20
+PASSWORD_RESET_USED_JTI_TTL = 60 * 10
 
 class RefreshAPIView(APIView):
     permission_classes = [AllowAny]
@@ -388,6 +389,48 @@ class LoginAPIView(APIView):
         else: # id, 비번 둘 중 하나가 틀렸을 때
             return Response({"message": "아이디 혹은 비밀번호가 맞지 않습니다."}, status=status.HTTP_400_BAD_REQUEST)
 
+
+class PasswordResetAPIView(APIView):
+    permission_classes = [IsAuthenticated, IsPasswordResetToken]
+
+    # 비밀번호 재설정
+    @transaction.atomic
+    def post(self, request):
+        new_password = request.data.get("new_password")
+
+        if not new_password:
+            return Response({"message": "no new_password", "is_new_password": None})
+
+        token = request.auth
+        jti = token.get("jti")
+        user_id = token.get("user_id")
+
+        if not jti or not user_id:
+            return Response({"message": "invalid token"}, status=status.HTTP_400_BAD_REQUEST)
+
+        # 1회성 방지
+        used_key = f"pwreset-used:{jti}"
+        if cache.get(used_key):
+            return Response({"message": "token already used"}, status=status.HTTP_400_BAD_REQUEST)
+        cache.set(used_key, True, timeout=PASSWORD_RESET_USED_JTI_TTL)
+
+        user = get_object_or_404(User, id=user_id)
+
+        user.set_password(new_password)
+        user.save(update_fields=["password"])
+
+        # 쿠키에 있는 리프레시 토큰 무효화
+        try:
+            refresh = request.COOKIES.get('refresh')
+            if refresh:
+                refresh_token = RefreshToken(refresh)
+                refresh_token.blacklist()
+        except TokenError as e:
+            pass
+
+        return Response({"message": "password updated successfully"}, status=status.HTTP_200_OK)
+
+
 class CheckUserFieldDuplicateAPIView(APIView):
     permission_classes = [AllowAny]
     # 유저 필드 중복 확인