summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorClaude Paroz <claude@2xlibre.net>2020-01-17 10:09:55 +0100
committerMariusz Felisiak <felisiak.mariusz@gmail.com>2020-02-12 21:46:56 +0100
commitda4923ea87124102aae4455e947ce24599c0365b (patch)
treec2bb4329144e9a384b3b671095c1c7a1bbcac2cb
parent27f67317da73f97fbe61444d5a3633584fc4f644 (diff)
Refs #27468 -- Made PasswordResetTokenGenerator use SHA-256 algorithm.
-rw-r--r--django/contrib/auth/tokens.py16
-rw-r--r--docs/internals/deprecation.txt3
-rw-r--r--docs/releases/3.1.txt3
-rw-r--r--tests/auth_tests/test_tokens.py11
4 files changed, 31 insertions, 2 deletions
diff --git a/django/contrib/auth/tokens.py b/django/contrib/auth/tokens.py
index c4f2641003..15a3b0ce88 100644
--- a/django/contrib/auth/tokens.py
+++ b/django/contrib/auth/tokens.py
@@ -11,6 +11,7 @@ class PasswordResetTokenGenerator:
reset mechanism.
"""
key_salt = "django.contrib.auth.tokens.PasswordResetTokenGenerator"
+ algorithm = 'sha256'
secret = settings.SECRET_KEY
def make_token(self, user):
@@ -39,7 +40,14 @@ class PasswordResetTokenGenerator:
# Check that the timestamp/uid has not been tampered with
if not constant_time_compare(self._make_token_with_timestamp(user, ts), token):
- return False
+ # RemovedInDjango40Warning: when the deprecation ends, replace
+ # with:
+ # return False
+ if not constant_time_compare(
+ self._make_token_with_timestamp(user, ts, legacy=True),
+ token,
+ ):
+ return False
# Check the timestamp is within limit.
if (self._num_seconds(self._now()) - ts) > settings.PASSWORD_RESET_TIMEOUT:
@@ -47,7 +55,7 @@ class PasswordResetTokenGenerator:
return True
- def _make_token_with_timestamp(self, user, timestamp):
+ def _make_token_with_timestamp(self, user, timestamp, legacy=False):
# timestamp is number of seconds since 2001-1-1. Converted to base 36,
# this gives us a 6 digit string until about 2069.
ts_b36 = int_to_base36(timestamp)
@@ -55,6 +63,10 @@ class PasswordResetTokenGenerator:
self.key_salt,
self._make_hash_value(user, timestamp),
secret=self.secret,
+ # RemovedInDjango40Warning: when the deprecation ends, remove the
+ # legacy argument and replace with:
+ # algorithm=self.algorithm,
+ algorithm='sha1' if legacy else self.algorithm,
).hexdigest()[::2] # Limit to 20 characters to shorten the URL.
return "%s-%s" % (ts_b36, hash_string)
diff --git a/docs/internals/deprecation.txt b/docs/internals/deprecation.txt
index db6df0fbbe..6b94bc1a3a 100644
--- a/docs/internals/deprecation.txt
+++ b/docs/internals/deprecation.txt
@@ -49,6 +49,9 @@ details on these changes.
* Support for the pre-Django 3.1 encoding format of cookies values used by
``django.contrib.messages.storage.cookie.CookieStorage`` will be removed.
+* Support for the pre-Django 3.1 password reset tokens in the admin site (that
+ use the SHA-1 hashing algorithm) will be removed.
+
See the :ref:`Django 3.1 release notes <deprecated-features-3.1>` for more
details on these changes.
diff --git a/docs/releases/3.1.txt b/docs/releases/3.1.txt
index 6bf57e0de3..df7aad8dd2 100644
--- a/docs/releases/3.1.txt
+++ b/docs/releases/3.1.txt
@@ -56,6 +56,9 @@ Minor features
instead of deprecated ``PASSWORD_RESET_TIMEOUT_DAYS``, which will be removed
in Django 4.0.
+* The password reset mechanism now uses the SHA-256 hashing algorithm. Support
+ for tokens that use the old hashing algorithm remains until Django 4.0.
+
:mod:`django.contrib.contenttypes`
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
diff --git a/tests/auth_tests/test_tokens.py b/tests/auth_tests/test_tokens.py
index 937fb7f598..5ac242db29 100644
--- a/tests/auth_tests/test_tokens.py
+++ b/tests/auth_tests/test_tokens.py
@@ -86,3 +86,14 @@ class TokenGeneratorTest(TestCase):
# Tokens created with a different secret don't validate.
self.assertIs(p0.check_token(user, tk1), False)
self.assertIs(p1.check_token(user, tk0), False)
+
+ def test_legacy_token_validation(self):
+ # RemovedInDjango40Warning: pre-Django 3.1 tokens will be invalid.
+ user = User.objects.create_user('tokentestuser', 'test2@example.com', 'testpw')
+ p_old_generator = PasswordResetTokenGenerator()
+ p_old_generator.algorithm = 'sha1'
+ p_new_generator = PasswordResetTokenGenerator()
+
+ legacy_token = p_old_generator.make_token(user)
+ self.assertIs(p_old_generator.check_token(user, legacy_token), True)
+ self.assertIs(p_new_generator.check_token(user, legacy_token), True)