mirrors/django
1
0
Fork 0
mirror of https://github.com/django/django.git synced 2025-10-24 06:06:09 +00:00
Code Issues 32 Releases Wiki Activity

Fixed #28017 -- Allowed customizing PasswordResetTokenGenerator's secret.

Browse Source
This commit is contained in:
jannh
2017-05-26 13:37:36 +02:00
committed by Tim Graham
parent 2cbb095bec
commit c930c241f8
2 changed files with 23 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

21
tests/auth_tests/test_tokens.py
View File

@@ -55,3 +55,24 @@ class TokenGeneratorTest(TestCase):
tk1 = p0.make_token(user)
self.assertIs(p0.check_token(None, tk1), False)
self.assertIs(p0.check_token(user, None), False)
def test_token_with_different_secret(self):
"""
A valid token can be created with a secret other than SECRET_KEY by
using the PasswordResetTokenGenerator.secret attribute.
"""
user = User.objects.create_user('tokentestuser', 'test2@example.com', 'testpw')
new_secret = 'abcdefghijkl'
# Create and check a token with a different secret.
p0 = PasswordResetTokenGenerator()
p0.secret = new_secret
tk0 = p0.make_token(user)
self.assertTrue(p0.check_token(user, tk0))
# Create and check a token with the default secret.
p1 = PasswordResetTokenGenerator()
self.assertEqual(p1.secret, settings.SECRET_KEY)
self.assertNotEqual(p1.secret, new_secret)
tk1 = p1.make_token(user)
# Tokens created with a different secret don't validate.
self.assertFalse(p0.check_token(user, tk1))
self.assertFalse(p1.check_token(user, tk0))