fix #47 - PasswordResetConfirm doesn't check token

2024-11-10 19:26:35 +03:00 · 2015-01-27 16:52:54 +01:00 · 2015-01-27 16:52:54 +01:00 · 2158fffd2a
commit 2158fffd2a
parent 60c0f949f4
2 changed files with 34 additions and 4 deletions
--- a/rest_auth/serializers.py
+++ b/rest_auth/serializers.py
@ -11,6 +11,7 @@ from django.contrib.auth.tokens import default_token_generator
 from rest_framework import serializers
 from rest_framework.authtoken.models import Token
 from rest_framework.authtoken.serializers import AuthTokenSerializer
+from rest_framework.exceptions import ValidationError


 class LoginSerializer(AuthTokenSerializer):
@ -101,18 +102,17 @@ class PasswordResetConfirmSerializer(serializers.Serializer):
            uid = uid_decoder(attrs['uid'])
            self.user = UserModel._default_manager.get(pk=uid)
        except (TypeError, ValueError, OverflowError, UserModel.DoesNotExist):
-            self._errors['uid'] = ['Invalid value']
+            raise ValidationError({'uid': ['Invalid value']})

        self.custom_validation(attrs)
-
        # Construct SetPasswordForm instance
        self.set_password_form = self.set_password_form_class(user=self.user,
            data=attrs)
        if not self.set_password_form.is_valid():
-            self._errors['token'] = ['Invalid value']
+            raise ValidationError({'token': ['Invalid value']})

        if not default_token_generator.check_token(self.user, attrs['token']):
-            self._errors['token'] = ['Invalid value']
+            raise ValidationError({'token': ['Invalid value']})

        return attrs

--- a/rest_auth/tests.py
+++ b/rest_auth/tests.py
@ -293,6 +293,36 @@ class APITestCase1(TestCase, BaseAPITestCase):
        self.assertEqual(len(mail.outbox), mail_count + 1)

        url_kwargs = self._generate_uid_and_token(user)
+        url = reverse('rest_password_reset_confirm')
+
+        # wrong token
+        data = {
+            'new_password1': self.NEW_PASS,
+            'new_password2': self.NEW_PASS,
+            'uid': url_kwargs['uid'],
+            'token': '-wrong-token-'
+        }
+        self.post(url, data=data, status_code=400)
+
+        # wrong uid
+        data = {
+            'new_password1': self.NEW_PASS,
+            'new_password2': self.NEW_PASS,
+            'uid': '-wrong-uid-',
+            'token': url_kwargs['token']
+        }
+        self.post(url, data=data, status_code=400)
+
+        # wrong token and uid
+        data = {
+            'new_password1': self.NEW_PASS,
+            'new_password2': self.NEW_PASS,
+            'uid': '-wrong-uid-',
+            'token': '-wrong-token-'
+        }
+        self.post(url, data=data, status_code=400)
+
+        # valid payload
        data = {
            'new_password1': self.NEW_PASS,
            'new_password2': self.NEW_PASS,