mirrors/django
1
0
Fork 0
mirror of https://github.com/django/django.git synced 2025-10-31 09:41:08 +00:00
Code Issues 32 Releases Wiki Activity

Refs #27468 -- Removed support for the pre-Django 3.1 user sessions.

Browse Source 
Per deprecation timeline.
This commit is contained in:
Mariusz Felisiak
2021-01-12 20:31:36 +01:00
parent d32a232fe9
commit 6b4941dd57
5 changed files with 6 additions and 44 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
django/contrib/auth/__init__.py
View File

@@ -190,11 +190,6 @@ def get_user(request):
user.get_session_auth_hash() user.get_session_auth_hash()
) )
if not session_hash_verified: if not session_hash_verified:
if not (
session_hash and
hasattr(user, '_legacy_get_session_auth_hash') and
constant_time_compare(session_hash, user._legacy_get_session_auth_hash())
):
request.session.flush() request.session.flush()
user = None user = None

5
django/contrib/auth/base_user.py
View File

@@ -121,11 +121,6 @@ class AbstractBaseUser(models.Model):
""" """
return is_password_usable(self.password) return is_password_usable(self.password)
def _legacy_get_session_auth_hash(self):
# RemovedInDjango40Warning: pre-Django 3.1 hashes will be invalid.
key_salt = 'django.contrib.auth.models.AbstractBaseUser.get_session_auth_hash'
return salted_hmac(key_salt, self.password, algorithm='sha1').hexdigest()
def get_session_auth_hash(self): def get_session_auth_hash(self):
""" """
Return an HMAC of the password field. Return an HMAC of the password field.

3
docs/releases/4.0.txt
View File

@@ -292,3 +292,6 @@ to remove usage of these features.
* Support for the pre-Django 3.1 ``django.core.signing.dumps()`` signatures * Support for the pre-Django 3.1 ``django.core.signing.dumps()`` signatures
(encoded with the SHA-1 algorithm) in ``django.core.signing.loads()`` is (encoded with the SHA-1 algorithm) in ``django.core.signing.loads()`` is
removed. removed.
* Support for the pre-Django 3.1 user sessions (that use the SHA-1 algorithm)
is removed.

10
tests/auth_tests/test_middleware.py
View File

@@ -24,16 +24,6 @@ class TestAuthenticationMiddleware(TestCase):
self.assertIsNotNone(self.request.user) self.assertIsNotNone(self.request.user)
self.assertFalse(self.request.user.is_anonymous) self.assertFalse(self.request.user.is_anonymous)
def test_no_password_change_does_not_invalidate_legacy_session(self):
# RemovedInDjango40Warning: pre-Django 3.1 hashes will be invalid.
session = self.client.session
session[HASH_SESSION_KEY] = self.user._legacy_get_session_auth_hash()
session.save()
self.request.session = session
self.middleware(self.request)
self.assertIsNotNone(self.request.user)
self.assertFalse(self.request.user.is_anonymous)
@ignore_warnings(category=RemovedInDjango40Warning) @ignore_warnings(category=RemovedInDjango40Warning)
def test_session_default_hashing_algorithm(self): def test_session_default_hashing_algorithm(self):
hash_session = self.client.session[HASH_SESSION_KEY] hash_session = self.client.session[HASH_SESSION_KEY]

23
tests/auth_tests/test_views.py
View File

@@ -9,7 +9,7 @@ from django.apps import apps
from django.conf import settings from django.conf import settings
from django.contrib.admin.models import LogEntry from django.contrib.admin.models import LogEntry
from django.contrib.auth import ( from django.contrib.auth import (
BACKEND_SESSION_KEY, HASH_SESSION_KEY, REDIRECT_FIELD_NAME, SESSION_KEY, BACKEND_SESSION_KEY, REDIRECT_FIELD_NAME, SESSION_KEY,
) )
from django.contrib.auth.forms import ( from django.contrib.auth.forms import (
AuthenticationForm, PasswordChangeForm, SetPasswordForm, AuthenticationForm, PasswordChangeForm, SetPasswordForm,
@@ -710,27 +710,6 @@ class LoginTest(AuthViewsTestCase):
self.login(password='foobar') self.login(password='foobar')
self.assertNotEqual(original_session_key, self.client.session.session_key) self.assertNotEqual(original_session_key, self.client.session.session_key)
def test_legacy_session_key_flushed_on_login(self):
# RemovedInDjango40Warning.
user = User.objects.get(username='testclient')
engine = import_module(settings.SESSION_ENGINE)
session = engine.SessionStore()
session[SESSION_KEY] = user.id
session[HASH_SESSION_KEY] = user._legacy_get_session_auth_hash()
session.save()
original_session_key = session.session_key
self.client.cookies[settings.SESSION_COOKIE_NAME] = original_session_key
# Legacy session key is flushed on login.
self.login()
self.assertNotEqual(original_session_key, self.client.session.session_key)
# Legacy session key is flushed after a password change.
user.set_password('password_2')
user.save()
original_session_key = session.session_key
self.client.cookies[settings.SESSION_COOKIE_NAME] = original_session_key
self.login(password='password_2')
self.assertNotEqual(original_session_key, self.client.session.session_key)
def test_login_session_without_hash_session_key(self): def test_login_session_without_hash_session_key(self):
""" """
Session without django.contrib.auth.HASH_SESSION_KEY should login Session without django.contrib.auth.HASH_SESSION_KEY should login