Tivix/django-rest-auth
1
1
Fork 0
mirror of https://github.com/Tivix/django-rest-auth.git synced 2024-11-29 04:23:42 +03:00
Code Issues Packages Projects Releases Wiki Activity

fix #47 - PasswordResetConfirm doesn't check token

Browse Source
This commit is contained in:
Mateusz Sikora 2015-01-27 16:52:54 +01:00
parent 60c0f949f4
commit 2158fffd2a
2 changed files with 34 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
rest_auth/serializers.py
View File

@ -11,6 +11,7 @@ from django.contrib.auth.tokens import default_token_generator
from rest_framework import serializers from rest_framework import serializers
from rest_framework.authtoken.models import Token from rest_framework.authtoken.models import Token
from rest_framework.authtoken.serializers import AuthTokenSerializer from rest_framework.authtoken.serializers import AuthTokenSerializer
from rest_framework.exceptions import ValidationError
class LoginSerializer(AuthTokenSerializer): class LoginSerializer(AuthTokenSerializer):
@ -101,18 +102,17 @@ class PasswordResetConfirmSerializer(serializers.Serializer):
uid = uid_decoder(attrs['uid']) uid = uid_decoder(attrs['uid'])
self.user = UserModel._default_manager.get(pk=uid) self.user = UserModel._default_manager.get(pk=uid)
except (TypeError, ValueError, OverflowError, UserModel.DoesNotExist): except (TypeError, ValueError, OverflowError, UserModel.DoesNotExist):
self._errors['uid'] = ['Invalid value'] raise ValidationError({'uid': ['Invalid value']})
self.custom_validation(attrs) self.custom_validation(attrs)
# Construct SetPasswordForm instance # Construct SetPasswordForm instance
self.set_password_form = self.set_password_form_class(user=self.user, self.set_password_form = self.set_password_form_class(user=self.user,
data=attrs) data=attrs)
if not self.set_password_form.is_valid(): if not self.set_password_form.is_valid():
self._errors['token'] = ['Invalid value'] raise ValidationError({'token': ['Invalid value']})
if not default_token_generator.check_token(self.user, attrs['token']): if not default_token_generator.check_token(self.user, attrs['token']):
self._errors['token'] = ['Invalid value'] raise ValidationError({'token': ['Invalid value']})
return attrs return attrs

30
rest_auth/tests.py
View File

@ -293,6 +293,36 @@ class APITestCase1(TestCase, BaseAPITestCase):
self.assertEqual(len(mail.outbox), mail_count + 1) self.assertEqual(len(mail.outbox), mail_count + 1)
url_kwargs = self._generate_uid_and_token(user) url_kwargs = self._generate_uid_and_token(user)
url = reverse('rest_password_reset_confirm')
# wrong token
data = {
'new_password1': self.NEW_PASS,
'new_password2': self.NEW_PASS,
'uid': url_kwargs['uid'],
'token': '-wrong-token-'
}
self.post(url, data=data, status_code=400)
# wrong uid
data = {
'new_password1': self.NEW_PASS,
'new_password2': self.NEW_PASS,
'uid': '-wrong-uid-',
'token': url_kwargs['token']
}
self.post(url, data=data, status_code=400)
# wrong token and uid
data = {
'new_password1': self.NEW_PASS,
'new_password2': self.NEW_PASS,
'uid': '-wrong-uid-',
'token': '-wrong-token-'
}
self.post(url, data=data, status_code=400)
# valid payload
data = { data = {
'new_password1': self.NEW_PASS, 'new_password1': self.NEW_PASS,
'new_password2': self.NEW_PASS, 'new_password2': self.NEW_PASS,