summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMariusz Felisiak <felisiak.mariusz@gmail.com>2021-01-11 20:31:49 +0100
committerMariusz Felisiak <felisiak.mariusz@gmail.com>2021-01-14 17:50:04 +0100
commit66b4046d68921edc7c83076da4aafd307f7dd19b (patch)
tree96352bd23360d78c81cf89520f686aa4dbb4bbb7
parent831a05b1859f960dba0aff3ac46daa40ca70704e (diff)
Refs #27468 -- Removed support for the pre-Django 3.1 password reset tokens.
Per deprecation timeline.
-rw-r--r--django/contrib/auth/tokens.py28
-rw-r--r--docs/releases/4.0.txt3
-rw-r--r--tests/auth_tests/test_tokens.py34
3 files changed, 9 insertions, 56 deletions
diff --git a/django/contrib/auth/tokens.py b/django/contrib/auth/tokens.py
index c3863d1dea..c5c23c9b72 100644
--- a/django/contrib/auth/tokens.py
+++ b/django/contrib/auth/tokens.py
@@ -1,4 +1,4 @@
-from datetime import datetime, time
+from datetime import datetime
from django.conf import settings
from django.utils.crypto import constant_time_compare, salted_hmac
@@ -36,8 +36,6 @@ class PasswordResetTokenGenerator:
# Parse the token
try:
ts_b36, _ = token.split("-")
- # RemovedInDjango40Warning.
- legacy_token = len(ts_b36) < 4
except ValueError:
return False
@@ -48,28 +46,15 @@ class PasswordResetTokenGenerator:
# Check that the timestamp/uid has not been tampered with
if not constant_time_compare(self._make_token_with_timestamp(user, ts), token):
- # RemovedInDjango40Warning: when the deprecation ends, replace
- # with:
- # return False
- if not constant_time_compare(
- self._make_token_with_timestamp(user, ts, legacy=True),
- token,
- ):
- return False
+ return False
- # RemovedInDjango40Warning: convert days to seconds and round to
- # midnight (server time) for pre-Django 3.1 tokens.
- now = self._now()
- if legacy_token:
- ts *= 24 * 60 * 60
- ts += int((now - datetime.combine(now.date(), time.min)).total_seconds())
# Check the timestamp is within limit.
- if (self._num_seconds(now) - ts) > settings.PASSWORD_RESET_TIMEOUT:
+ if (self._num_seconds(self._now()) - ts) > settings.PASSWORD_RESET_TIMEOUT:
return False
return True
- def _make_token_with_timestamp(self, user, timestamp, legacy=False):
+ def _make_token_with_timestamp(self, user, timestamp):
# timestamp is number of seconds since 2001-1-1. Converted to base 36,
# this gives us a 6 digit string until about 2069.
ts_b36 = int_to_base36(timestamp)
@@ -77,10 +62,7 @@ class PasswordResetTokenGenerator:
self.key_salt,
self._make_hash_value(user, timestamp),
secret=self.secret,
- # RemovedInDjango40Warning: when the deprecation ends, remove the
- # legacy argument and replace with:
- # algorithm=self.algorithm,
- algorithm='sha1' if legacy else self.algorithm,
+ algorithm=self.algorithm,
).hexdigest()[::2] # Limit to shorten the URL.
return "%s-%s" % (ts_b36, hash_string)
diff --git a/docs/releases/4.0.txt b/docs/releases/4.0.txt
index c3ee1b0609..a2f04227fd 100644
--- a/docs/releases/4.0.txt
+++ b/docs/releases/4.0.txt
@@ -280,3 +280,6 @@ to remove usage of these features.
* Support for the pre-Django 3.1 encoding format of cookies values used by
``django.contrib.messages.storage.cookie.CookieStorage`` is removed.
+
+* Support for the pre-Django 3.1 password reset tokens in the admin site (that
+ use the SHA-1 hashing algorithm) is removed.
diff --git a/tests/auth_tests/test_tokens.py b/tests/auth_tests/test_tokens.py
index a9ba0e200f..1d98dcb966 100644
--- a/tests/auth_tests/test_tokens.py
+++ b/tests/auth_tests/test_tokens.py
@@ -1,4 +1,4 @@
-from datetime import date, datetime, timedelta
+from datetime import datetime, timedelta
from django.conf import settings
from django.contrib.auth.models import User
@@ -86,27 +86,6 @@ class TokenGeneratorTest(TestCase):
)
self.assertIs(p4.check_token(user, tk1), False)
- def test_legacy_days_timeout(self):
- # RemovedInDjango40Warning: pre-Django 3.1 tokens will be invalid.
- class LegacyPasswordResetTokenGenerator(MockedPasswordResetTokenGenerator):
- """Pre-Django 3.1 tokens generator."""
- def _num_seconds(self, dt):
- # Pre-Django 3.1 tokens use days instead of seconds.
- return (dt.date() - date(2001, 1, 1)).days
-
- user = User.objects.create_user('tokentestuser', 'test2@example.com', 'testpw')
- now = datetime.now()
- p0 = LegacyPasswordResetTokenGenerator(now)
- tk1 = p0.make_token(user)
- p1 = MockedPasswordResetTokenGenerator(
- now + timedelta(seconds=settings.PASSWORD_RESET_TIMEOUT),
- )
- self.assertIs(p1.check_token(user, tk1), True)
- p2 = MockedPasswordResetTokenGenerator(
- now + timedelta(seconds=(settings.PASSWORD_RESET_TIMEOUT + 24 * 60 * 60)),
- )
- self.assertIs(p2.check_token(user, tk1), False)
-
def test_check_token_with_nonexistent_token_and_user(self):
user = User.objects.create_user('tokentestuser', 'test2@example.com', 'testpw')
p0 = PasswordResetTokenGenerator()
@@ -143,14 +122,3 @@ class TokenGeneratorTest(TestCase):
self.assertEqual(generator.algorithm, 'sha1')
token = generator.make_token(user)
self.assertIs(generator.check_token(user, token), True)
-
- def test_legacy_token_validation(self):
- # RemovedInDjango40Warning: pre-Django 3.1 tokens will be invalid.
- user = User.objects.create_user('tokentestuser', 'test2@example.com', 'testpw')
- p_old_generator = PasswordResetTokenGenerator()
- p_old_generator.algorithm = 'sha1'
- p_new_generator = PasswordResetTokenGenerator()
-
- legacy_token = p_old_generator.make_token(user)
- self.assertIs(p_old_generator.check_token(user, legacy_token), True)
- self.assertIs(p_new_generator.check_token(user, legacy_token), True)