[3.1.x] Fixed #32130 -- Fixed pre-Django 3.1 password reset tokens validation.

Thanks Gordon Wrigley for the report and implementation idea. Regression in 226ebb1729. Backport of 3418092238 from master
2020-10-22 13:21:14 +02:00 · 2020-10-22 13:21:14 +02:00 · 767e06b5a8
parent c6b95be190
commit 767e06b5a8
3 changed files with 35 additions and 3 deletions
--- a/django/contrib/auth/tokens.py
+++ b/django/contrib/auth/tokens.py
@ -1,4 +1,4 @@
-from datetime import datetime
+from datetime import datetime, time

 from django.conf import settings
 from django.utils.crypto import constant_time_compare, salted_hmac
@ -35,6 +35,8 @@ class PasswordResetTokenGenerator:
        # Parse the token
        try:
            ts_b36, _ = token.split("-")
+            # RemovedInDjango40Warning.
+            legacy_token = len(ts_b36) < 4
        except ValueError:
            return False

@ -54,8 +56,14 @@ class PasswordResetTokenGenerator:
            ):
                return False

+        # RemovedInDjango40Warning: convert days to seconds and round to
+        # midnight (server time) for pre-Django 3.1 tokens.
+        now = self._now()
+        if legacy_token:
+            ts *= 24 * 60 * 60
+            ts += int((now - datetime.combine(now.date(), time.min)).total_seconds())
        # Check the timestamp is within limit.
-        if (self._num_seconds(self._now()) - ts) > settings.PASSWORD_RESET_TIMEOUT:
+        if (self._num_seconds(now) - ts) > settings.PASSWORD_RESET_TIMEOUT:
            return False

        return True
--- a/docs/releases/3.1.3.txt
+++ b/docs/releases/3.1.3.txt
@ -48,3 +48,6 @@ Bugfixes

 * Fixed a regression in Django 3.1.2 that caused incorrect form input layout on
  small screens in the admin change form view (:ticket:`32069`).
+
+* Fixed a regression in Django 3.1 that invalidated pre-Django 3.1 password
+  reset tokens (:ticket:`32130`).
--- a/tests/auth_tests/test_tokens.py
+++ b/tests/auth_tests/test_tokens.py
@ -1,4 +1,4 @@
-from datetime import datetime, timedelta
+from datetime import date, datetime, timedelta

 from django.conf import settings
 from django.contrib.auth.models import User
@ -63,6 +63,27 @@ class TokenGeneratorTest(TestCase):
            )
            self.assertIs(p4.check_token(user, tk1), False)

+    def test_legacy_days_timeout(self):
+        # RemovedInDjango40Warning: pre-Django 3.1 tokens will be invalid.
+        class LegacyPasswordResetTokenGenerator(MockedPasswordResetTokenGenerator):
+            """Pre-Django 3.1 tokens generator."""
+            def _num_seconds(self, dt):
+                # Pre-Django 3.1 tokens use days instead of seconds.
+                return (dt.date() - date(2001, 1, 1)).days
+
+        user = User.objects.create_user('tokentestuser', 'test2@example.com', 'testpw')
+        now = datetime.now()
+        p0 = LegacyPasswordResetTokenGenerator(now)
+        tk1 = p0.make_token(user)
+        p1 = MockedPasswordResetTokenGenerator(
+            now + timedelta(seconds=settings.PASSWORD_RESET_TIMEOUT),
+        )
+        self.assertIs(p1.check_token(user, tk1), True)
+        p2 = MockedPasswordResetTokenGenerator(
+            now + timedelta(seconds=(settings.PASSWORD_RESET_TIMEOUT + 24 * 60 * 60)),
+        )
+        self.assertIs(p2.check_token(user, tk1), False)
+
    def test_check_token_with_nonexistent_token_and_user(self):
        user = User.objects.create_user('tokentestuser', 'test2@example.com', 'testpw')
        p0 = PasswordResetTokenGenerator()