mirror of
https://github.com/encode/django-rest-framework.git
synced 2025-10-24 12:41:13 +03:00
* Fix #9250: Prevent token overwrite and improve security - Fix key collision issue that could overwrite existing tokens - Use force_insert=True only for new token instances - Replace os.urandom with secrets.token_hex for better security - Add comprehensive test suite to verify fix and backward compatibility - Ensure existing tokens can still be updated without breaking changes * Fix code style: remove trailing whitespace and unused imports * Fix #9250: Prevent token overwrite with minimal changes - Add force_insert=True to Token.save() for new objects to prevent overwriting existing tokens - Revert generate_key method to original implementation (os.urandom + binascii) - Update tests to work with original setUp() approach - Remove verbose comments and unrelated changes per reviewer feedback * Fix flake8 violations: remove extra blank lines and trailing whitespace * Update tests/test_authtoken.py Co-authored-by: Bruno Alla <browniebroke@users.noreply.github.com> * Update tests/test_authtoken.py Co-authored-by: Bruno Alla <browniebroke@users.noreply.github.com> * Update tests/test_authtoken.py Co-authored-by: Bruno Alla <browniebroke@users.noreply.github.com> * Fix token key regeneration behavior and add test * Update tests/test_authtoken.py Co-authored-by: Bruno Alla <browniebroke@users.noreply.github.com> --------- Co-authored-by: Bruno Alla <browniebroke@users.noreply.github.com>
64 lines
1.9 KiB
Python
64 lines
1.9 KiB
Python
import secrets
|
|
|
|
from django.conf import settings
|
|
from django.db import models
|
|
from django.utils.translation import gettext_lazy as _
|
|
|
|
|
|
class Token(models.Model):
|
|
"""
|
|
The default authorization token model.
|
|
"""
|
|
key = models.CharField(_("Key"), max_length=40, primary_key=True)
|
|
user = models.OneToOneField(
|
|
settings.AUTH_USER_MODEL, related_name='auth_token',
|
|
on_delete=models.CASCADE, verbose_name=_("User")
|
|
)
|
|
created = models.DateTimeField(_("Created"), auto_now_add=True)
|
|
|
|
class Meta:
|
|
# Work around for a bug in Django:
|
|
# https://code.djangoproject.com/ticket/19422
|
|
#
|
|
# Also see corresponding ticket:
|
|
# https://github.com/encode/django-rest-framework/issues/705
|
|
abstract = 'rest_framework.authtoken' not in settings.INSTALLED_APPS
|
|
verbose_name = _("Token")
|
|
verbose_name_plural = _("Tokens")
|
|
|
|
def save(self, *args, **kwargs):
|
|
"""
|
|
Save the token instance.
|
|
|
|
If no key is provided, generates a cryptographically secure key.
|
|
For new tokens, ensures they are inserted as new (not updated).
|
|
"""
|
|
if not self.key:
|
|
self.key = self.generate_key()
|
|
# For new objects, force INSERT to prevent overwriting existing tokens
|
|
if self._state.adding:
|
|
kwargs['force_insert'] = True
|
|
return super().save(*args, **kwargs)
|
|
|
|
@classmethod
|
|
def generate_key(cls):
|
|
return secrets.token_hex(20)
|
|
|
|
def __str__(self):
|
|
return self.key
|
|
|
|
|
|
class TokenProxy(Token):
|
|
"""
|
|
Proxy mapping pk to user pk for use in admin.
|
|
"""
|
|
@property
|
|
def pk(self):
|
|
return self.user_id
|
|
|
|
class Meta:
|
|
proxy = 'rest_framework.authtoken' in settings.INSTALLED_APPS
|
|
abstract = 'rest_framework.authtoken' not in settings.INSTALLED_APPS
|
|
verbose_name = _("Token")
|
|
verbose_name_plural = _("Tokens")
|