Refs #27468 -- Removed support for the pre-Django 3.1 password reset tokens.

Per deprecation timeline.
This commit is contained in:
Mariusz Felisiak 2021-01-11 20:31:49 +01:00
parent 831a05b185
commit 66b4046d68
3 changed files with 9 additions and 56 deletions

View File

@ -1,4 +1,4 @@
from datetime import datetime, time from datetime import datetime
from django.conf import settings from django.conf import settings
from django.utils.crypto import constant_time_compare, salted_hmac from django.utils.crypto import constant_time_compare, salted_hmac
@ -36,8 +36,6 @@ class PasswordResetTokenGenerator:
# Parse the token # Parse the token
try: try:
ts_b36, _ = token.split("-") ts_b36, _ = token.split("-")
# RemovedInDjango40Warning.
legacy_token = len(ts_b36) < 4
except ValueError: except ValueError:
return False return False
@ -48,28 +46,15 @@ class PasswordResetTokenGenerator:
# Check that the timestamp/uid has not been tampered with # Check that the timestamp/uid has not been tampered with
if not constant_time_compare(self._make_token_with_timestamp(user, ts), token): if not constant_time_compare(self._make_token_with_timestamp(user, ts), token):
# RemovedInDjango40Warning: when the deprecation ends, replace
# with:
# return False
if not constant_time_compare(
self._make_token_with_timestamp(user, ts, legacy=True),
token,
):
return False return False
# RemovedInDjango40Warning: convert days to seconds and round to
# midnight (server time) for pre-Django 3.1 tokens.
now = self._now()
if legacy_token:
ts *= 24 * 60 * 60
ts += int((now - datetime.combine(now.date(), time.min)).total_seconds())
# Check the timestamp is within limit. # Check the timestamp is within limit.
if (self._num_seconds(now) - ts) > settings.PASSWORD_RESET_TIMEOUT: if (self._num_seconds(self._now()) - ts) > settings.PASSWORD_RESET_TIMEOUT:
return False return False
return True return True
def _make_token_with_timestamp(self, user, timestamp, legacy=False): def _make_token_with_timestamp(self, user, timestamp):
# timestamp is number of seconds since 2001-1-1. Converted to base 36, # timestamp is number of seconds since 2001-1-1. Converted to base 36,
# this gives us a 6 digit string until about 2069. # this gives us a 6 digit string until about 2069.
ts_b36 = int_to_base36(timestamp) ts_b36 = int_to_base36(timestamp)
@ -77,10 +62,7 @@ class PasswordResetTokenGenerator:
self.key_salt, self.key_salt,
self._make_hash_value(user, timestamp), self._make_hash_value(user, timestamp),
secret=self.secret, secret=self.secret,
# RemovedInDjango40Warning: when the deprecation ends, remove the algorithm=self.algorithm,
# legacy argument and replace with:
# algorithm=self.algorithm,
algorithm='sha1' if legacy else self.algorithm,
).hexdigest()[::2] # Limit to shorten the URL. ).hexdigest()[::2] # Limit to shorten the URL.
return "%s-%s" % (ts_b36, hash_string) return "%s-%s" % (ts_b36, hash_string)

View File

@ -280,3 +280,6 @@ to remove usage of these features.
* Support for the pre-Django 3.1 encoding format of cookies values used by * Support for the pre-Django 3.1 encoding format of cookies values used by
``django.contrib.messages.storage.cookie.CookieStorage`` is removed. ``django.contrib.messages.storage.cookie.CookieStorage`` is removed.
* Support for the pre-Django 3.1 password reset tokens in the admin site (that
use the SHA-1 hashing algorithm) is removed.

View File

@ -1,4 +1,4 @@
from datetime import date, datetime, timedelta from datetime import datetime, timedelta
from django.conf import settings from django.conf import settings
from django.contrib.auth.models import User from django.contrib.auth.models import User
@ -86,27 +86,6 @@ class TokenGeneratorTest(TestCase):
) )
self.assertIs(p4.check_token(user, tk1), False) self.assertIs(p4.check_token(user, tk1), False)
def test_legacy_days_timeout(self):
# RemovedInDjango40Warning: pre-Django 3.1 tokens will be invalid.
class LegacyPasswordResetTokenGenerator(MockedPasswordResetTokenGenerator):
"""Pre-Django 3.1 tokens generator."""
def _num_seconds(self, dt):
# Pre-Django 3.1 tokens use days instead of seconds.
return (dt.date() - date(2001, 1, 1)).days
user = User.objects.create_user('tokentestuser', 'test2@example.com', 'testpw')
now = datetime.now()
p0 = LegacyPasswordResetTokenGenerator(now)
tk1 = p0.make_token(user)
p1 = MockedPasswordResetTokenGenerator(
now + timedelta(seconds=settings.PASSWORD_RESET_TIMEOUT),
)
self.assertIs(p1.check_token(user, tk1), True)
p2 = MockedPasswordResetTokenGenerator(
now + timedelta(seconds=(settings.PASSWORD_RESET_TIMEOUT + 24 * 60 * 60)),
)
self.assertIs(p2.check_token(user, tk1), False)
def test_check_token_with_nonexistent_token_and_user(self): def test_check_token_with_nonexistent_token_and_user(self):
user = User.objects.create_user('tokentestuser', 'test2@example.com', 'testpw') user = User.objects.create_user('tokentestuser', 'test2@example.com', 'testpw')
p0 = PasswordResetTokenGenerator() p0 = PasswordResetTokenGenerator()
@ -143,14 +122,3 @@ class TokenGeneratorTest(TestCase):
self.assertEqual(generator.algorithm, 'sha1') self.assertEqual(generator.algorithm, 'sha1')
token = generator.make_token(user) token = generator.make_token(user)
self.assertIs(generator.check_token(user, token), True) self.assertIs(generator.check_token(user, token), True)
def test_legacy_token_validation(self):
# RemovedInDjango40Warning: pre-Django 3.1 tokens will be invalid.
user = User.objects.create_user('tokentestuser', 'test2@example.com', 'testpw')
p_old_generator = PasswordResetTokenGenerator()
p_old_generator.algorithm = 'sha1'
p_new_generator = PasswordResetTokenGenerator()
legacy_token = p_old_generator.make_token(user)
self.assertIs(p_old_generator.check_token(user, legacy_token), True)
self.assertIs(p_new_generator.check_token(user, legacy_token), True)