Fixed #26615 -- Made password reset token invalidate when changing email.

Co-Authored-By: Silas Barta <sbarta@gmail.com>
2025-10-24 06:06:09 +00:00 · 2016-05-15 18:54:03 -07:00
parent 7f9e4524d6
commit 0362b0e986
6 changed files with 39 additions and 11 deletions
--- a/tests/auth_tests/test_tokens.py
+++ b/tests/auth_tests/test_tokens.py
@@ -7,6 +7,8 @@ from django.test import TestCase
 from django.test.utils import ignore_warnings
 from django.utils.deprecation import RemovedInDjango40Warning

+from .models import CustomEmailField
+

 class MockedPasswordResetTokenGenerator(PasswordResetTokenGenerator):
    def __init__(self, now):
@@ -37,6 +39,27 @@ class TokenGeneratorTest(TestCase):
        tk2 = p0.make_token(user_reload)
        self.assertEqual(tk1, tk2)

+    def test_token_with_different_email(self):
+        """Updating the user email address invalidates the token."""
+        tests = [
+            (CustomEmailField, None),
+            (CustomEmailField, 'test4@example.com'),
+            (User, 'test4@example.com'),
+        ]
+        for model, email in tests:
+            with self.subTest(model=model.__qualname__, email=email):
+                user = model.objects.create_user(
+                    'changeemailuser',
+                    email=email,
+                    password='testpw',
+                )
+                p0 = PasswordResetTokenGenerator()
+                tk1 = p0.make_token(user)
+                self.assertIs(p0.check_token(user, tk1), True)
+                setattr(user, user.get_email_field_name(), 'test4new@example.com')
+                user.save()
+                self.assertIs(p0.check_token(user, tk1), False)
+
    def test_timeout(self):
        """The token is valid after n seconds, but no greater."""
        # Uses a mocked version of PasswordResetTokenGenerator so we can change