Refs #27468 -- Made PasswordResetTokenGenerator use SHA-256 algorithm.
This commit is contained in:
parent
27f67317da
commit
da4923ea87
|
@ -11,6 +11,7 @@ class PasswordResetTokenGenerator:
|
||||||
reset mechanism.
|
reset mechanism.
|
||||||
"""
|
"""
|
||||||
key_salt = "django.contrib.auth.tokens.PasswordResetTokenGenerator"
|
key_salt = "django.contrib.auth.tokens.PasswordResetTokenGenerator"
|
||||||
|
algorithm = 'sha256'
|
||||||
secret = settings.SECRET_KEY
|
secret = settings.SECRET_KEY
|
||||||
|
|
||||||
def make_token(self, user):
|
def make_token(self, user):
|
||||||
|
@ -39,7 +40,14 @@ class PasswordResetTokenGenerator:
|
||||||
|
|
||||||
# Check that the timestamp/uid has not been tampered with
|
# Check that the timestamp/uid has not been tampered with
|
||||||
if not constant_time_compare(self._make_token_with_timestamp(user, ts), token):
|
if not constant_time_compare(self._make_token_with_timestamp(user, ts), token):
|
||||||
return False
|
# RemovedInDjango40Warning: when the deprecation ends, replace
|
||||||
|
# with:
|
||||||
|
# return False
|
||||||
|
if not constant_time_compare(
|
||||||
|
self._make_token_with_timestamp(user, ts, legacy=True),
|
||||||
|
token,
|
||||||
|
):
|
||||||
|
return False
|
||||||
|
|
||||||
# Check the timestamp is within limit.
|
# Check the timestamp is within limit.
|
||||||
if (self._num_seconds(self._now()) - ts) > settings.PASSWORD_RESET_TIMEOUT:
|
if (self._num_seconds(self._now()) - ts) > settings.PASSWORD_RESET_TIMEOUT:
|
||||||
|
@ -47,7 +55,7 @@ class PasswordResetTokenGenerator:
|
||||||
|
|
||||||
return True
|
return True
|
||||||
|
|
||||||
def _make_token_with_timestamp(self, user, timestamp):
|
def _make_token_with_timestamp(self, user, timestamp, legacy=False):
|
||||||
# timestamp is number of seconds since 2001-1-1. Converted to base 36,
|
# timestamp is number of seconds since 2001-1-1. Converted to base 36,
|
||||||
# this gives us a 6 digit string until about 2069.
|
# this gives us a 6 digit string until about 2069.
|
||||||
ts_b36 = int_to_base36(timestamp)
|
ts_b36 = int_to_base36(timestamp)
|
||||||
|
@ -55,6 +63,10 @@ class PasswordResetTokenGenerator:
|
||||||
self.key_salt,
|
self.key_salt,
|
||||||
self._make_hash_value(user, timestamp),
|
self._make_hash_value(user, timestamp),
|
||||||
secret=self.secret,
|
secret=self.secret,
|
||||||
|
# RemovedInDjango40Warning: when the deprecation ends, remove the
|
||||||
|
# legacy argument and replace with:
|
||||||
|
# algorithm=self.algorithm,
|
||||||
|
algorithm='sha1' if legacy else self.algorithm,
|
||||||
).hexdigest()[::2] # Limit to 20 characters to shorten the URL.
|
).hexdigest()[::2] # Limit to 20 characters to shorten the URL.
|
||||||
return "%s-%s" % (ts_b36, hash_string)
|
return "%s-%s" % (ts_b36, hash_string)
|
||||||
|
|
||||||
|
|
|
@ -49,6 +49,9 @@ details on these changes.
|
||||||
* Support for the pre-Django 3.1 encoding format of cookies values used by
|
* Support for the pre-Django 3.1 encoding format of cookies values used by
|
||||||
``django.contrib.messages.storage.cookie.CookieStorage`` will be removed.
|
``django.contrib.messages.storage.cookie.CookieStorage`` will be removed.
|
||||||
|
|
||||||
|
* Support for the pre-Django 3.1 password reset tokens in the admin site (that
|
||||||
|
use the SHA-1 hashing algorithm) will be removed.
|
||||||
|
|
||||||
See the :ref:`Django 3.1 release notes <deprecated-features-3.1>` for more
|
See the :ref:`Django 3.1 release notes <deprecated-features-3.1>` for more
|
||||||
details on these changes.
|
details on these changes.
|
||||||
|
|
||||||
|
|
|
@ -56,6 +56,9 @@ Minor features
|
||||||
instead of deprecated ``PASSWORD_RESET_TIMEOUT_DAYS``, which will be removed
|
instead of deprecated ``PASSWORD_RESET_TIMEOUT_DAYS``, which will be removed
|
||||||
in Django 4.0.
|
in Django 4.0.
|
||||||
|
|
||||||
|
* The password reset mechanism now uses the SHA-256 hashing algorithm. Support
|
||||||
|
for tokens that use the old hashing algorithm remains until Django 4.0.
|
||||||
|
|
||||||
:mod:`django.contrib.contenttypes`
|
:mod:`django.contrib.contenttypes`
|
||||||
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
|
||||||
|
|
|
@ -86,3 +86,14 @@ class TokenGeneratorTest(TestCase):
|
||||||
# Tokens created with a different secret don't validate.
|
# Tokens created with a different secret don't validate.
|
||||||
self.assertIs(p0.check_token(user, tk1), False)
|
self.assertIs(p0.check_token(user, tk1), False)
|
||||||
self.assertIs(p1.check_token(user, tk0), False)
|
self.assertIs(p1.check_token(user, tk0), False)
|
||||||
|
|
||||||
|
def test_legacy_token_validation(self):
|
||||||
|
# RemovedInDjango40Warning: pre-Django 3.1 tokens will be invalid.
|
||||||
|
user = User.objects.create_user('tokentestuser', 'test2@example.com', 'testpw')
|
||||||
|
p_old_generator = PasswordResetTokenGenerator()
|
||||||
|
p_old_generator.algorithm = 'sha1'
|
||||||
|
p_new_generator = PasswordResetTokenGenerator()
|
||||||
|
|
||||||
|
legacy_token = p_old_generator.make_token(user)
|
||||||
|
self.assertIs(p_old_generator.check_token(user, legacy_token), True)
|
||||||
|
self.assertIs(p_new_generator.check_token(user, legacy_token), True)
|
||||||
|
|
Loading…
Reference in New Issue