Fixed #28017 -- Allowed customizing PasswordResetTokenGenerator's secret.

1 files changed, 21 insertions, 0 deletions

diff --git a/tests/auth_tests/test_tokens.py b/tests/auth_tests/test_tokens.py
index 0662ec513e..eb06e00425 100644
--- a/tests/auth_tests/test_tokens.py
+++ b/tests/auth_tests/test_tokens.py
@@ -55,3 +55,24 @@ class TokenGeneratorTest(TestCase):
         tk1 = p0.make_token(user)
         self.assertIs(p0.check_token(None, tk1), False)
         self.assertIs(p0.check_token(user, None), False)
+
+    def test_token_with_different_secret(self):
+        """
+        A valid token can be created with a secret other than SECRET_KEY by
+        using the PasswordResetTokenGenerator.secret attribute.
+        """
+        user = User.objects.create_user('tokentestuser', 'test2@example.com', 'testpw')
+        new_secret = 'abcdefghijkl'
+        # Create and check a token with a different secret.
+        p0 = PasswordResetTokenGenerator()
+        p0.secret = new_secret
+        tk0 = p0.make_token(user)
+        self.assertTrue(p0.check_token(user, tk0))
+        # Create and check a token with the default secret.
+        p1 = PasswordResetTokenGenerator()
+        self.assertEqual(p1.secret, settings.SECRET_KEY)
+        self.assertNotEqual(p1.secret, new_secret)
+        tk1 = p1.make_token(user)
+        # Tokens created with a different secret don't validate.
+        self.assertFalse(p0.check_token(user, tk1))
+        self.assertFalse(p1.check_token(user, tk0))