Refs #27468 -- Removed support for the pre-Django 3.1 user sessions.
Per deprecation timeline.
This commit is contained in:
Mariusz Felisiak
parent
d32a232fe9
commit
6b4941dd57
|
|
@ -190,13 +190,8 @@ def get_user(request):
|
||||||
user.get_session_auth_hash()
|
user.get_session_auth_hash()
|
||||||
)
|
)
|
||||||
if not session_hash_verified:
|
if not session_hash_verified:
|
||||||
if not (
|
request.session.flush()
|
||||||
session_hash and
|
user = None
|
||||||
hasattr(user, '_legacy_get_session_auth_hash') and
|
|
||||||
constant_time_compare(session_hash, user._legacy_get_session_auth_hash())
|
|
||||||
):
|
|
||||||
request.session.flush()
|
|
||||||
user = None
|
|
||||||
|
|
||||||
return user or AnonymousUser()
|
return user or AnonymousUser()
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -121,11 +121,6 @@ class AbstractBaseUser(models.Model):
|
||||||
"""
|
"""
|
||||||
return is_password_usable(self.password)
|
return is_password_usable(self.password)
|
||||||
|
|
||||||
def _legacy_get_session_auth_hash(self):
|
|
||||||
# RemovedInDjango40Warning: pre-Django 3.1 hashes will be invalid.
|
|
||||||
key_salt = 'django.contrib.auth.models.AbstractBaseUser.get_session_auth_hash'
|
|
||||||
return salted_hmac(key_salt, self.password, algorithm='sha1').hexdigest()
|
|
||||||
|
|
||||||
def get_session_auth_hash(self):
|
def get_session_auth_hash(self):
|
||||||
"""
|
"""
|
||||||
Return an HMAC of the password field.
|
Return an HMAC of the password field.
|
||||||
|
|
|
||||||
|
|
@ -292,3 +292,6 @@ to remove usage of these features.
|
||||||
* Support for the pre-Django 3.1 ``django.core.signing.dumps()`` signatures
|
* Support for the pre-Django 3.1 ``django.core.signing.dumps()`` signatures
|
||||||
(encoded with the SHA-1 algorithm) in ``django.core.signing.loads()`` is
|
(encoded with the SHA-1 algorithm) in ``django.core.signing.loads()`` is
|
||||||
removed.
|
removed.
|
||||||
|
|
||||||
|
* Support for the pre-Django 3.1 user sessions (that use the SHA-1 algorithm)
|
||||||
|
is removed.
|
||||||
|
|
|
||||||
|
|
@ -24,16 +24,6 @@ class TestAuthenticationMiddleware(TestCase):
|
||||||
self.assertIsNotNone(self.request.user)
|
self.assertIsNotNone(self.request.user)
|
||||||
self.assertFalse(self.request.user.is_anonymous)
|
self.assertFalse(self.request.user.is_anonymous)
|
||||||
|
|
||||||
def test_no_password_change_does_not_invalidate_legacy_session(self):
|
|
||||||
# RemovedInDjango40Warning: pre-Django 3.1 hashes will be invalid.
|
|
||||||
session = self.client.session
|
|
||||||
session[HASH_SESSION_KEY] = self.user._legacy_get_session_auth_hash()
|
|
||||||
session.save()
|
|
||||||
self.request.session = session
|
|
||||||
self.middleware(self.request)
|
|
||||||
self.assertIsNotNone(self.request.user)
|
|
||||||
self.assertFalse(self.request.user.is_anonymous)
|
|
||||||
|
|
||||||
@ignore_warnings(category=RemovedInDjango40Warning)
|
@ignore_warnings(category=RemovedInDjango40Warning)
|
||||||
def test_session_default_hashing_algorithm(self):
|
def test_session_default_hashing_algorithm(self):
|
||||||
hash_session = self.client.session[HASH_SESSION_KEY]
|
hash_session = self.client.session[HASH_SESSION_KEY]
|
||||||
|
|
|
||||||
|
|
@ -9,7 +9,7 @@ from django.apps import apps
|
||||||
from django.conf import settings
|
from django.conf import settings
|
||||||
from django.contrib.admin.models import LogEntry
|
from django.contrib.admin.models import LogEntry
|
||||||
from django.contrib.auth import (
|
from django.contrib.auth import (
|
||||||
BACKEND_SESSION_KEY, HASH_SESSION_KEY, REDIRECT_FIELD_NAME, SESSION_KEY,
|
BACKEND_SESSION_KEY, REDIRECT_FIELD_NAME, SESSION_KEY,
|
||||||
)
|
)
|
||||||
from django.contrib.auth.forms import (
|
from django.contrib.auth.forms import (
|
||||||
AuthenticationForm, PasswordChangeForm, SetPasswordForm,
|
AuthenticationForm, PasswordChangeForm, SetPasswordForm,
|
||||||
|
|
@ -710,27 +710,6 @@ class LoginTest(AuthViewsTestCase):
|
||||||
self.login(password='foobar')
|
self.login(password='foobar')
|
||||||
self.assertNotEqual(original_session_key, self.client.session.session_key)
|
self.assertNotEqual(original_session_key, self.client.session.session_key)
|
||||||
|
|
||||||
def test_legacy_session_key_flushed_on_login(self):
|
|
||||||
# RemovedInDjango40Warning.
|
|
||||||
user = User.objects.get(username='testclient')
|
|
||||||
engine = import_module(settings.SESSION_ENGINE)
|
|
||||||
session = engine.SessionStore()
|
|
||||||
session[SESSION_KEY] = user.id
|
|
||||||
session[HASH_SESSION_KEY] = user._legacy_get_session_auth_hash()
|
|
||||||
session.save()
|
|
||||||
original_session_key = session.session_key
|
|
||||||
self.client.cookies[settings.SESSION_COOKIE_NAME] = original_session_key
|
|
||||||
# Legacy session key is flushed on login.
|
|
||||||
self.login()
|
|
||||||
self.assertNotEqual(original_session_key, self.client.session.session_key)
|
|
||||||
# Legacy session key is flushed after a password change.
|
|
||||||
user.set_password('password_2')
|
|
||||||
user.save()
|
|
||||||
original_session_key = session.session_key
|
|
||||||
self.client.cookies[settings.SESSION_COOKIE_NAME] = original_session_key
|
|
||||||
self.login(password='password_2')
|
|
||||||
self.assertNotEqual(original_session_key, self.client.session.session_key)
|
|
||||||
|
|
||||||
def test_login_session_without_hash_session_key(self):
|
def test_login_session_without_hash_session_key(self):
|
||||||
"""
|
"""
|
||||||
Session without django.contrib.auth.HASH_SESSION_KEY should login
|
Session without django.contrib.auth.HASH_SESSION_KEY should login
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue