From 5f137da9306d63fb1730119ca739c775bc63faac Mon Sep 17 00:00:00 2001
From: Mahmoud Adel <mahmoud.adel.mk@outlook.com>
Date: Sun, 10 May 2020 18:05:30 +0200
Subject: [PATCH] make token validation in PasswordResetConfirmSerializer is
 the first thing to do in validate() method

---
 dj_rest_auth/serializers.py | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/dj_rest_auth/serializers.py b/dj_rest_auth/serializers.py
index efd455e..f05d143 100644
--- a/dj_rest_auth/serializers.py
+++ b/dj_rest_auth/serializers.py
@@ -208,6 +208,9 @@ class PasswordResetConfirmSerializer(serializers.Serializer):
     def validate(self, attrs):
         self._errors = {}
 
+        if not default_token_generator.check_token(self.user, attrs['token']):
+            raise ValidationError({'token': ['Invalid value']})
+
         # Decode the uidb64 to uid to get User object
         try:
             uid = force_text(uid_decoder(attrs['uid']))
@@ -222,8 +225,6 @@ class PasswordResetConfirmSerializer(serializers.Serializer):
         )
         if not self.set_password_form.is_valid():
             raise serializers.ValidationError(self.set_password_form.errors)
-        if not default_token_generator.check_token(self.user, attrs['token']):
-            raise ValidationError({'token': ['Invalid value']})
 
         return attrs