From 8d988f15b8a3c433aa385de7e5ba5129fdba4f40 Mon Sep 17 00:00:00 2001 From: Stephen Finucane Date: Sat, 20 Feb 2021 12:22:08 +0000 Subject: urls: Support sha256-based tokens Django 3.1 changed the default hashing algorithm used for things like password reset tokens from SHA-1 to SHA-256. As noted in the release notes [1], this is configurable via the 'DEFAULT_HASHING_ALGORITHM' transitional setting, but that's only intended to allow upgrades of multiple instances in a HA deployment and shouldn't be used post upgrade. Instead, we need to fix our URLs to support the longer tokens generated by SHA-256. Long term, we want to replace these regex-based routes with the simpler flask-style template string routes. That's not really backportable so we'll do that separately. [1] https://docs.djangoproject.com/en/3.1/releases/3.1/#default-hashing-algorithm-settings Signed-off-by: Stephen Finucane Closes: #394 --- patchwork/urls.py | 2 +- releasenotes/notes/issue-394-722c1e6384684469.yaml | 6 ++++++ 2 files changed, 7 insertions(+), 1 deletion(-) create mode 100644 releasenotes/notes/issue-394-722c1e6384684469.yaml diff --git a/patchwork/urls.py b/patchwork/urls.py index 79268e4..be388ac 100644 --- a/patchwork/urls.py +++ b/patchwork/urls.py @@ -158,7 +158,7 @@ urlpatterns = [ ), re_path( r'^user/password-reset/(?P[0-9A-Za-z_\-]+)/' - r'(?P[0-9A-Za-z]{1,13}-[0-9A-Za-z]{1,20})/$', + r'(?P[0-9A-Za-z]{1,13}-[0-9A-Za-z]{1,32})/$', auth_views.PasswordResetConfirmView.as_view(), name='password_reset_confirm', ), diff --git a/releasenotes/notes/issue-394-722c1e6384684469.yaml b/releasenotes/notes/issue-394-722c1e6384684469.yaml new file mode 100644 index 0000000..eda4f12 --- /dev/null +++ b/releasenotes/notes/issue-394-722c1e6384684469.yaml @@ -0,0 +1,6 @@ +--- +fixes: + - | + Fixed a compatability issue with Django 3.1 that prevented users from + resetting their password. + (`#394 `__) -- cgit v1.2.3