Refs #27468 -- Removed support for the pre-Django 3.1 password reset tokens.

Per deprecation timeline.
2025-10-27 07:36:08 +00:00 · 2021-01-11 20:31:49 +01:00
parent 831a05b185
commit 66b4046d68
3 changed files with 9 additions and 56 deletions
--- a/django/contrib/auth/tokens.py
+++ b/django/contrib/auth/tokens.py
@@ -1,4 +1,4 @@
-from datetime import datetime, time
+from datetime import datetime

 from django.conf import settings
 from django.utils.crypto import constant_time_compare, salted_hmac
@@ -36,8 +36,6 @@ class PasswordResetTokenGenerator:
        # Parse the token
        try:
            ts_b36, _ = token.split("-")
-            # RemovedInDjango40Warning.
-            legacy_token = len(ts_b36) < 4
        except ValueError:
            return False

@@ -48,28 +46,15 @@ class PasswordResetTokenGenerator:

        # Check that the timestamp/uid has not been tampered with
        if not constant_time_compare(self._make_token_with_timestamp(user, ts), token):
-            # RemovedInDjango40Warning: when the deprecation ends, replace
-            # with:
-            #   return False
-            if not constant_time_compare(
-                self._make_token_with_timestamp(user, ts, legacy=True),
-                token,
-            ):
-                return False
+            return False

-        # RemovedInDjango40Warning: convert days to seconds and round to
-        # midnight (server time) for pre-Django 3.1 tokens.
-        now = self._now()
-        if legacy_token:
-            ts *= 24 * 60 * 60
-            ts += int((now - datetime.combine(now.date(), time.min)).total_seconds())
        # Check the timestamp is within limit.
-        if (self._num_seconds(now) - ts) > settings.PASSWORD_RESET_TIMEOUT:
+        if (self._num_seconds(self._now()) - ts) > settings.PASSWORD_RESET_TIMEOUT:
            return False

        return True

-    def _make_token_with_timestamp(self, user, timestamp, legacy=False):
+    def _make_token_with_timestamp(self, user, timestamp):
        # timestamp is number of seconds since 2001-1-1. Converted to base 36,
        # this gives us a 6 digit string until about 2069.
        ts_b36 = int_to_base36(timestamp)
@@ -77,10 +62,7 @@ class PasswordResetTokenGenerator:
            self.key_salt,
            self._make_hash_value(user, timestamp),
            secret=self.secret,
-            # RemovedInDjango40Warning: when the deprecation ends, remove the
-            # legacy argument and replace with:
-            #   algorithm=self.algorithm,
-            algorithm='sha1' if legacy else self.algorithm,
+            algorithm=self.algorithm,
        ).hexdigest()[::2]  # Limit to shorten the URL.
        return "%s-%s" % (ts_b36, hash_string)