Tivix/django-rest-auth
1
1
Fork 0
mirror of https://github.com/Tivix/django-rest-auth.git synced 2025-07-22 13:39:45 +03:00
Code Issues Packages Projects Releases Wiki Activity

-Delete auth token after change password if LOGOUT_ON_PASSWORD_CHANGE setting is True

Browse Source 
-Test to confirm token is not valid after change password if LOGOUT_ON_PASSWORD_CHANGE setting is True
This commit is contained in:
Karthik Rao 2017-12-14 20:37:40 +05:30
parent a670fa9687
commit 106a0704a7
2 changed files with 38 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
rest_auth/serializers.py
View File

@ -267,6 +267,8 @@ class PasswordChangeSerializer(serializers.Serializer):
def save(self): def save(self):
self.set_password_form.save() self.set_password_form.save()
if not self.logout_on_password_change: if self.logout_on_password_change:
self.user.auth_token.delete()
else:
from django.contrib.auth import update_session_auth_hash from django.contrib.auth import update_session_auth_hash
update_session_auth_hash(self.request, self.user) update_session_auth_hash(self.request, self.user)

35
rest_auth/tests/test_api.py
View File

@ -280,6 +280,41 @@ class APIBasicTests(TestsMixin, TestCase):
login_payload['password'] = new_password_payload['new_password1'] login_payload['password'] = new_password_payload['new_password1']
self.post(self.login_url, data=login_payload, status_code=200) self.post(self.login_url, data=login_payload, status_code=200)
@override_settings(LOGOUT_ON_PASSWORD_CHANGE=True)
def test_password_change_with_logout(self):
login_payload = {
"username": self.USERNAME,
"password": self.PASS
}
get_user_model().objects.create_user(self.USERNAME, '', self.PASS)
self.post(self.login_url, data=login_payload, status_code=200)
self.token = self.response.json['key']
new_password_payload = {
"new_password1": "new_person",
"new_password2": "new_person"
}
self.post(
self.password_change_url,
data=new_password_payload,
status_code=200
)
# user's token should not be valid any more
self.post(
self.password_change_url,
data=new_password_payload,
status_code=status.HTTP_403_FORBIDDEN
)
# user should not be able to login using old password
self.post(self.login_url, data=login_payload, status_code=400)
# new password should work
login_payload['password'] = new_password_payload['new_password1']
self.post(self.login_url, data=login_payload, status_code=200)
def test_password_reset(self): def test_password_reset(self):
user = get_user_model().objects.create_user(self.USERNAME, self.EMAIL, self.PASS) user = get_user_model().objects.create_user(self.USERNAME, self.EMAIL, self.PASS)