From 34180922380cf41cd684f846ecf00f92eb289bcf Mon Sep 17 00:00:00 2001 From: Mariusz Felisiak Date: Thu, 22 Oct 2020 13:21:14 +0200 Subject: Fixed #32130 -- Fixed pre-Django 3.1 password reset tokens validation. Thanks Gordon Wrigley for the report and implementation idea. Regression in 226ebb17290b604ef29e82fb5c1fbac3594ac163. --- tests/auth_tests/test_tokens.py | 23 ++++++++++++++++++++++- 1 file changed, 22 insertions(+), 1 deletion(-) (limited to 'tests') diff --git a/tests/auth_tests/test_tokens.py b/tests/auth_tests/test_tokens.py index 42ac71148e..a9ba0e200f 100644 --- a/tests/auth_tests/test_tokens.py +++ b/tests/auth_tests/test_tokens.py @@ -1,4 +1,4 @@ -from datetime import datetime, timedelta +from datetime import date, datetime, timedelta from django.conf import settings from django.contrib.auth.models import User @@ -86,6 +86,27 @@ class TokenGeneratorTest(TestCase): ) self.assertIs(p4.check_token(user, tk1), False) + def test_legacy_days_timeout(self): + # RemovedInDjango40Warning: pre-Django 3.1 tokens will be invalid. + class LegacyPasswordResetTokenGenerator(MockedPasswordResetTokenGenerator): + """Pre-Django 3.1 tokens generator.""" + def _num_seconds(self, dt): + # Pre-Django 3.1 tokens use days instead of seconds. + return (dt.date() - date(2001, 1, 1)).days + + user = User.objects.create_user('tokentestuser', 'test2@example.com', 'testpw') + now = datetime.now() + p0 = LegacyPasswordResetTokenGenerator(now) + tk1 = p0.make_token(user) + p1 = MockedPasswordResetTokenGenerator( + now + timedelta(seconds=settings.PASSWORD_RESET_TIMEOUT), + ) + self.assertIs(p1.check_token(user, tk1), True) + p2 = MockedPasswordResetTokenGenerator( + now + timedelta(seconds=(settings.PASSWORD_RESET_TIMEOUT + 24 * 60 * 60)), + ) + self.assertIs(p2.check_token(user, tk1), False) + def test_check_token_with_nonexistent_token_and_user(self): user = User.objects.create_user('tokentestuser', 'test2@example.com', 'testpw') p0 = PasswordResetTokenGenerator() -- cgit v1.3