django/tests/auth_tests/client.py

import re

from django.contrib.auth.views import (
    INTERNAL_RESET_SESSION_TOKEN, PasswordResetConfirmView,
)
from django.test import Client


def extract_token_from_url(url):
    token_search = re.search(r'/reset/.*/(.+?)/', url)
    if token_search:
        return token_search[1]


class PasswordResetConfirmClient(Client):
    """
    This client eases testing the password reset flow by emulating the
    PasswordResetConfirmView's redirect and saving of the reset token in the
    user's session. This request puts 'my-token' in the session and redirects
    to '/reset/bla/set-password/':

    >>> client = PasswordResetConfirmClient()
    >>> client.get('/reset/bla/my-token/')
    """
    reset_url_token = PasswordResetConfirmView.reset_url_token

    def _get_password_reset_confirm_redirect_url(self, url):
        token = extract_token_from_url(url)
        if not token:
            return url
        # Add the token to the session
        session = self.session
        session[INTERNAL_RESET_SESSION_TOKEN] = token
        session.save()
        return url.replace(token, self.reset_url_token)

    def get(self, path, *args, **kwargs):
        redirect_url = self._get_password_reset_confirm_redirect_url(path)
        return super().get(redirect_url, *args, **kwargs)

    def post(self, path, *args, **kwargs):
        redirect_url = self._get_password_reset_confirm_redirect_url(path)
        return super().post(redirect_url, *args, **kwargs)
Fixed #27518 -- Prevented possibie password reset token leak via HTTP Referer header. Thanks Florian Apolloner for contributing to this patch and Collin Anderson, Markus Holtermann, and Tim Graham for review. 2017-01-13 22:17:54 +08:00			`import re`

			`from django.contrib.auth.views import (`
Fixed #28780 -- Allowed specyfing a token parameter displayed in password reset URLs. Co-authored-by: Tim Givois <tim.givois.mendez@gmail.com> 2019-05-23 20:18:49 +08:00			`INTERNAL_RESET_SESSION_TOKEN, PasswordResetConfirmView,`
Fixed #27518 -- Prevented possibie password reset token leak via HTTP Referer header. Thanks Florian Apolloner for contributing to this patch and Collin Anderson, Markus Holtermann, and Tim Graham for review. 2017-01-13 22:17:54 +08:00			`)`
			`from django.test import Client`


			`def extract_token_from_url(url):`
			`token_search = re.search(r'/reset/.*/(.+?)/', url)`
			`if token_search:`
Refs #30116 -- Simplified regex match group access with Match.__getitem__(). The method has been available since Python 3.6. The shorter syntax is also marginally faster. 2020-05-11 04:03:39 +08:00			`return token_search[1]`
Fixed #27518 -- Prevented possibie password reset token leak via HTTP Referer header. Thanks Florian Apolloner for contributing to this patch and Collin Anderson, Markus Holtermann, and Tim Graham for review. 2017-01-13 22:17:54 +08:00

			`class PasswordResetConfirmClient(Client):`
			`"""`
			`This client eases testing the password reset flow by emulating the`
			`PasswordResetConfirmView's redirect and saving of the reset token in the`
			`user's session. This request puts 'my-token' in the session and redirects`
			`to '/reset/bla/set-password/':`

			`>>> client = PasswordResetConfirmClient()`
			`>>> client.get('/reset/bla/my-token/')`
			`"""`
Fixed #28780 -- Allowed specyfing a token parameter displayed in password reset URLs. Co-authored-by: Tim Givois <tim.givois.mendez@gmail.com> 2019-05-23 20:18:49 +08:00			`reset_url_token = PasswordResetConfirmView.reset_url_token`

Fixed #27518 -- Prevented possibie password reset token leak via HTTP Referer header. Thanks Florian Apolloner for contributing to this patch and Collin Anderson, Markus Holtermann, and Tim Graham for review. 2017-01-13 22:17:54 +08:00			`def _get_password_reset_confirm_redirect_url(self, url):`
			`token = extract_token_from_url(url)`
			`if not token:`
			`return url`
			`# Add the token to the session`
			`session = self.session`
			`session[INTERNAL_RESET_SESSION_TOKEN] = token`
			`session.save()`
Fixed #28780 -- Allowed specyfing a token parameter displayed in password reset URLs. Co-authored-by: Tim Givois <tim.givois.mendez@gmail.com> 2019-05-23 20:18:49 +08:00			`return url.replace(token, self.reset_url_token)`
Fixed #27518 -- Prevented possibie password reset token leak via HTTP Referer header. Thanks Florian Apolloner for contributing to this patch and Collin Anderson, Markus Holtermann, and Tim Graham for review. 2017-01-13 22:17:54 +08:00
			`def get(self, path, args, *kwargs):`
			`redirect_url = self._get_password_reset_confirm_redirect_url(path)`
Refs #23919 -- Replaced super(ClassName, self) with super(). 2017-01-21 21:13:44 +08:00			`return super().get(redirect_url, args, *kwargs)`
Fixed #27518 -- Prevented possibie password reset token leak via HTTP Referer header. Thanks Florian Apolloner for contributing to this patch and Collin Anderson, Markus Holtermann, and Tim Graham for review. 2017-01-13 22:17:54 +08:00
			`def post(self, path, args, *kwargs):`
			`redirect_url = self._get_password_reset_confirm_redirect_url(path)`
Refs #23919 -- Replaced super(ClassName, self) with super(). 2017-01-21 21:13:44 +08:00			`return super().post(redirect_url, args, *kwargs)`