encode/django-rest-framework
1
1
Fork 0
mirror of https://github.com/encode/django-rest-framework.git synced 2025-10-28 22:47:36 +03:00
Code Issues Packages Projects Releases Wiki Activity
c0166d95bb
django-rest-framework/rest_framework
History
Mahdi Rahimi c0166d95bb
Prevent small risk of Token overwrite (#9754) 
* Fix #9250: Prevent token overwrite and improve security

- Fix key collision issue that could overwrite existing tokens
- Use force_insert=True only for new token instances
- Replace os.urandom with secrets.token_hex for better security
- Add comprehensive test suite to verify fix and backward compatibility
- Ensure existing tokens can still be updated without breaking changes

* Fix code style: remove trailing whitespace and unused imports

* Fix #9250: Prevent token overwrite with minimal changes

- Add force_insert=True to Token.save() for new objects to prevent overwriting existing tokens
- Revert generate_key method to original implementation (os.urandom + binascii)
- Update tests to work with original setUp() approach
- Remove verbose comments and unrelated changes per reviewer feedback

* Fix flake8 violations: remove extra blank lines and trailing whitespace

* Update tests/test_authtoken.py

Co-authored-by: Bruno Alla <browniebroke@users.noreply.github.com>

* Update tests/test_authtoken.py

Co-authored-by: Bruno Alla <browniebroke@users.noreply.github.com>

* Update tests/test_authtoken.py

Co-authored-by: Bruno Alla <browniebroke@users.noreply.github.com>

* Fix token key regeneration behavior and add test

* Update tests/test_authtoken.py

Co-authored-by: Bruno Alla <browniebroke@users.noreply.github.com>

---------

Co-authored-by: Bruno Alla <browniebroke@users.noreply.github.com>
2025-08-10 16:52:32 +06:00
..
authtoken Prevent small risk of Token overwrite (#9754) 2025-08-10 16:52:32 +06:00
locale Turkish Translation updates (#9749) 2025-08-01 16:33:52 +01:00
management Add --api-version CLI option to generateschema (#8663) 2022-09-22 10:36:01 +01:00
schemas Add pyupgrade to pre-commit hooks (#9682) 2025-04-09 06:24:18 +00:00
static/rest_framework Improve integration with Django Debug Toolbar (#9213) 2024-03-07 10:58:59 +01:00
templates/rest_framework Drop HTML line breaks on long headers in browsable API (#9438) 2025-04-28 04:08:48 +00:00
templatetags Drop HTML line breaks on long headers in browsable API (#9438) 2025-04-28 04:08:48 +00:00
utils Add pyupgrade to pre-commit hooks (#9682) 2025-04-09 06:24:18 +00:00
__init__.py Prepare 3.16.1 release (#9752) 2025-08-06 18:40:31 +01:00
apps.py Make DEFAULT_PAGINATION_CLASS None by default. (#5170) 2017-09-25 15:36:30 +02:00
authentication.py replace partition with split in BasicAuthentication (#8790) 2022-12-08 09:52:35 +06:00
checks.py Fix punctuation in system check (#7281) 2020-04-20 16:40:05 -07:00
compat.py Fix unique together validator doesn't respect condition's fields (#9360) 2025-02-17 14:01:32 +06:00
decorators.py pre-commit autoupdate (#9232) 2024-01-24 22:47:46 +01:00
documentation.py Updated url()'s with path() and re_path() (#7492) 2020-08-25 13:50:02 +02:00
exceptions.py Revert "feat: Add some changes to ValidationError to support django style vad…" (#9326) 2024-03-21 17:09:43 +01:00
fields.py Add pyupgrade to pre-commit hooks (#9682) 2025-04-09 06:24:18 +00:00
filters.py Remove unused code 2024-04-30 18:28:22 +02:00
generics.py Allow generic requests, responses, fields, views (#8825) 2023-02-22 21:39:01 +06:00
metadata.py Revert #9030 (#9333) 2024-03-22 09:40:34 +01:00
mixins.py Revert "Re-prefetch related objects after updating (#8043)" (#9327) 2024-03-21 22:23:30 +00:00
negotiation.py Add pyupgrade to pre-commit hooks (#9682) 2025-04-09 06:24:18 +00:00
pagination.py Revert "Ensure CursorPagination respects nulls in the ordering field (#8912)" (#9381) 2024-04-27 17:07:05 +06:00
parsers.py Remove unused code 2024-04-30 18:28:22 +02:00
permissions.py Add pyupgrade to pre-commit hooks (#9682) 2025-04-09 06:24:18 +00:00
relations.py Replaced OrderedDict with dict (#8964) 2023-04-30 15:20:02 +06:00
renderers.py Fix get_template_context to handle also lists (#9467) 2024-07-15 22:03:40 +06:00
request.py Fixed AttributeError raised by data property being silently ignored (#9455) 2024-07-17 22:51:39 +06:00
response.py Add pyupgrade to pre-commit hooks (#9682) 2025-04-09 06:24:18 +00:00
reverse.py Dropped Python 2 compatibility. (#6615) 2019-04-30 17:53:44 +02:00
routers.py Use str as default path converter (#9066) 2023-08-16 20:11:50 +06:00
serializers.py Fix regression in unique_together validation with SerializerMethodField (#9712) 2025-06-10 12:47:28 +01:00
settings.py Fix typo (#9231) 2024-01-24 23:17:01 +01:00
status.py Added http 102, 103, 421, and 425 status codes (#8350) 2022-02-03 11:57:47 +00:00
test.py Fixed regression that tests using format still work (#9615) 2025-01-11 00:56:36 +06:00
throttling.py Fix error in throttling when request.user is None (#8370) 2022-06-24 13:02:11 +01:00
urlpatterns.py Fix "Converter is already registered" deprecation warning. (#9512) 2024-08-26 17:32:50 +02:00
urls.py Replace all url() calls with path() or re_path() (#7512) 2020-09-08 15:32:27 +01:00
validators.py Fix UniqueTogetherValidator to handle fields w/ source attr (#9688) 2025-04-23 09:03:14 +00:00
versioning.py Revert "Fix NamespaceVersioning ignoring DEFAULT_VERSION on non-None namespac…" (#9335) 2024-03-22 09:39:30 +00:00
views.py Add official support for Django 5.1 (#9514) 2024-09-07 17:21:18 +06:00
viewsets.py Add official support for Django 5.1 (#9514) 2024-09-07 17:21:18 +06:00