* Fix#9250: Prevent token overwrite and improve security
- Fix key collision issue that could overwrite existing tokens
- Use force_insert=True only for new token instances
- Replace os.urandom with secrets.token_hex for better security
- Add comprehensive test suite to verify fix and backward compatibility
- Ensure existing tokens can still be updated without breaking changes
* Fix code style: remove trailing whitespace and unused imports
* Fix#9250: Prevent token overwrite with minimal changes
- Add force_insert=True to Token.save() for new objects to prevent overwriting existing tokens
- Revert generate_key method to original implementation (os.urandom + binascii)
- Update tests to work with original setUp() approach
- Remove verbose comments and unrelated changes per reviewer feedback
* Fix flake8 violations: remove extra blank lines and trailing whitespace
* Update tests/test_authtoken.py
Co-authored-by: Bruno Alla <browniebroke@users.noreply.github.com>
* Update tests/test_authtoken.py
Co-authored-by: Bruno Alla <browniebroke@users.noreply.github.com>
* Update tests/test_authtoken.py
Co-authored-by: Bruno Alla <browniebroke@users.noreply.github.com>
* Fix token key regeneration behavior and add test
* Update tests/test_authtoken.py
Co-authored-by: Bruno Alla <browniebroke@users.noreply.github.com>
---------
Co-authored-by: Bruno Alla <browniebroke@users.noreply.github.com>
* Refactor token generation to use secrets module
* test: Add focused tests for Token.generate_key() method
- Add test for valid token format (40 hex characters)
- Add collision resistance test with 500 sample size
- Add basic randomness quality validation
- Ensure generated keys are unique and properly formatted
On Python 3, the ugettext functions are a simple aliases of their non-u
counterparts (the 'u' represents Python 2 unicode type). Starting with
Django 3.0, the u versions will be deprecated.
https://docs.djangoproject.com/en/dev/releases/3.0/#id2
> django.utils.translation.ugettext(), ugettext_lazy(), ugettext_noop(),
> ungettext(), and ungettext_lazy() are deprecated in favor of the
> functions that they’re aliases for:
> django.utils.translation.gettext(), gettext_lazy(), gettext_noop(),
> ngettext(), and ngettext_lazy().
Thanks to Jon Dufresne (@jdufresne) for review.
Co-authored-by: Asif Saif Uddin <auvipy@gmail.com>
Co-authored-by: Rizwan Mansuri <Rizwan@webbyfox.com>
+ verbose_name in models.Token fields
+ Meta-options verbose_name & verbose_name_plural
+ Labels in AuthTokenSerializer fields in case of usages in Brousable API
+ provide AppConfig class as described in django documentation with verbose_name came through ugettext_lazy
The fact that we don't import Token from authentication doesn't invalidate
the need for the model to be abstract whenever the authtoken isn't listed
in the INSTALLED_APPS.
