Skip to content

Commit 56a27ad

Browse files
authored
Fix the token verification and remove support for legacy tokens (#273)
1 parent 1786703 commit 56a27ad

1 file changed

Lines changed: 5 additions & 21 deletions

File tree

website/members/tokens.py

Lines changed: 5 additions & 21 deletions
Original file line numberDiff line numberDiff line change
@@ -16,33 +16,17 @@ def check_token(self, user, token):
1616
# Parse the token
1717
try:
1818
ts_b36, _ = token.split("-")
19-
# RemovedInDjango40Warning.
20-
legacy_token = len(ts_b36) < 4
21-
except ValueError:
22-
return False
23-
24-
try:
2519
ts = base36_to_int(ts_b36)
2620
except ValueError:
2721
return False
2822

2923
# Check that the timestamp/uid has not been tampered with
30-
if not constant_time_compare(self._make_token_with_timestamp(user, ts), token):
31-
# RemovedInDjango40Warning: when the deprecation ends, replace
32-
# with:
33-
# return False
34-
if not constant_time_compare(
35-
self._make_token_with_timestamp(user, ts, legacy=True),
36-
token,
37-
):
38-
return False
39-
40-
# RemovedInDjango40Warning: convert days to seconds and round to
41-
# midnight (server time) for pre-Django 3.1 tokens.
24+
if not constant_time_compare(
25+
self._make_token_with_timestamp(user, ts, secret), token
26+
):
27+
return False
28+
4229
now = self._now()
43-
if legacy_token:
44-
ts *= 24 * 60 * 60
45-
ts += int((now - datetime.combine(now.date(), time.min)).total_seconds())
4630
# Check the timestamp is within limit.
4731
if (self._num_seconds(now) - ts) > settings.ACCOUNT_ACTIVATION_TIMEOUT:
4832
return False

0 commit comments

Comments
 (0)