Refs #27468 -- Removed support for the pre-Django 3.1 password reset tokens.

Per deprecation timeline.
2021-01-11 20:31:49 +01:00 · 2021-01-11 20:31:49 +01:00 · 66b4046d68
parent 831a05b185
commit 66b4046d68
3 changed files with 9 additions and 56 deletions
--- a/django/contrib/auth/tokens.py
+++ b/django/contrib/auth/tokens.py
@ -1,4 +1,4 @@
-from datetime import datetime, time
+from datetime import datetime
 from django.conf import settings
 from django.utils.crypto import constant_time_compare, salted_hmac
@ -36,8 +36,6 @@ class PasswordResetTokenGenerator:
        # Parse the token
        try:
            ts_b36, _ = token.split("-")
            # RemovedInDjango40Warning.
            legacy_token = len(ts_b36) < 4
        except ValueError:
            return False
@ -48,28 +46,15 @@ class PasswordResetTokenGenerator:
        # Check that the timestamp/uid has not been tampered with
        if not constant_time_compare(self._make_token_with_timestamp(user, ts), token):
-            # RemovedInDjango40Warning: when the deprecation ends, replace
+            return False
            # with:
            #   return False
            if not constant_time_compare(
                self._make_token_with_timestamp(user, ts, legacy=True),
                token,
            ):
                return False
        # RemovedInDjango40Warning: convert days to seconds and round to
        # midnight (server time) for pre-Django 3.1 tokens.
        now = self._now()
        if legacy_token:
            ts *= 24 * 60 * 60
            ts += int((now - datetime.combine(now.date(), time.min)).total_seconds())
        # Check the timestamp is within limit.
-        if (self._num_seconds(now) - ts) > settings.PASSWORD_RESET_TIMEOUT:
+        if (self._num_seconds(self._now()) - ts) > settings.PASSWORD_RESET_TIMEOUT:
            return False
        return True
-    def _make_token_with_timestamp(self, user, timestamp, legacy=False):
+    def _make_token_with_timestamp(self, user, timestamp):
        # timestamp is number of seconds since 2001-1-1. Converted to base 36,
        # this gives us a 6 digit string until about 2069.
        ts_b36 = int_to_base36(timestamp)
@ -77,10 +62,7 @@ class PasswordResetTokenGenerator:
            self.key_salt,
            self._make_hash_value(user, timestamp),
            secret=self.secret,
-            # RemovedInDjango40Warning: when the deprecation ends, remove the
+            algorithm=self.algorithm,
            # legacy argument and replace with:
            #   algorithm=self.algorithm,
            algorithm='sha1' if legacy else self.algorithm,
        ).hexdigest()[::2]  # Limit to shorten the URL.
        return "%s-%s" % (ts_b36, hash_string)
--- a/docs/releases/4.0.txt
+++ b/docs/releases/4.0.txt
@ -280,3 +280,6 @@ to remove usage of these features.
 * Support for the pre-Django 3.1 encoding format of cookies values used by
  ``django.contrib.messages.storage.cookie.CookieStorage`` is removed.
 * Support for the pre-Django 3.1 password reset tokens in the admin site (that
  use the SHA-1 hashing algorithm) is removed.
--- a/tests/auth_tests/test_tokens.py
+++ b/tests/auth_tests/test_tokens.py
@ -1,4 +1,4 @@
-from datetime import date, datetime, timedelta
+from datetime import datetime, timedelta
 from django.conf import settings
 from django.contrib.auth.models import User
@ -86,27 +86,6 @@ class TokenGeneratorTest(TestCase):
            )
            self.assertIs(p4.check_token(user, tk1), False)
    def test_legacy_days_timeout(self):
        # RemovedInDjango40Warning: pre-Django 3.1 tokens will be invalid.
        class LegacyPasswordResetTokenGenerator(MockedPasswordResetTokenGenerator):
            """Pre-Django 3.1 tokens generator."""
            def _num_seconds(self, dt):
                # Pre-Django 3.1 tokens use days instead of seconds.
                return (dt.date() - date(2001, 1, 1)).days
        user = User.objects.create_user('tokentestuser', 'test2@example.com', 'testpw')
        now = datetime.now()
        p0 = LegacyPasswordResetTokenGenerator(now)
        tk1 = p0.make_token(user)
        p1 = MockedPasswordResetTokenGenerator(
            now + timedelta(seconds=settings.PASSWORD_RESET_TIMEOUT),
        )
        self.assertIs(p1.check_token(user, tk1), True)
        p2 = MockedPasswordResetTokenGenerator(
            now + timedelta(seconds=(settings.PASSWORD_RESET_TIMEOUT + 24 * 60 * 60)),
        )
        self.assertIs(p2.check_token(user, tk1), False)
    def test_check_token_with_nonexistent_token_and_user(self):
        user = User.objects.create_user('tokentestuser', 'test2@example.com', 'testpw')
        p0 = PasswordResetTokenGenerator()
@ -143,14 +122,3 @@ class TokenGeneratorTest(TestCase):
            self.assertEqual(generator.algorithm, 'sha1')
            token = generator.make_token(user)
            self.assertIs(generator.check_token(user, token), True)
    def test_legacy_token_validation(self):
        # RemovedInDjango40Warning: pre-Django 3.1 tokens will be invalid.
        user = User.objects.create_user('tokentestuser', 'test2@example.com', 'testpw')
        p_old_generator = PasswordResetTokenGenerator()
        p_old_generator.algorithm = 'sha1'
        p_new_generator = PasswordResetTokenGenerator()
        legacy_token = p_old_generator.make_token(user)
        self.assertIs(p_old_generator.check_token(user, legacy_token), True)
        self.assertIs(p_new_generator.check_token(user, legacy_token), True)