From: Stephen Finucane Date: Sat, 20 Feb 2021 12:22:08 +0000 (+0000) Subject: urls: Support sha256-based tokens X-Git-Tag: v3.1.0~105 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=8d988f15b8a3c433aa385de7e5ba5129fdba4f40;p=thirdparty%2Fpatchwork.git urls: Support sha256-based tokens Django 3.1 changed the default hashing algorithm used for things like password reset tokens from SHA-1 to SHA-256. As noted in the release notes [1], this is configurable via the 'DEFAULT_HASHING_ALGORITHM' transitional setting, but that's only intended to allow upgrades of multiple instances in a HA deployment and shouldn't be used post upgrade. Instead, we need to fix our URLs to support the longer tokens generated by SHA-256. Long term, we want to replace these regex-based routes with the simpler flask-style template string routes. That's not really backportable so we'll do that separately. [1] https://docs.djangoproject.com/en/3.1/releases/3.1/#default-hashing-algorithm-settings Signed-off-by: Stephen Finucane Closes: #394 --- diff --git a/patchwork/urls.py b/patchwork/urls.py index 79268e4e..be388ac5 100644 --- a/patchwork/urls.py +++ b/patchwork/urls.py @@ -158,7 +158,7 @@ urlpatterns = [ ), re_path( r'^user/password-reset/(?P[0-9A-Za-z_\-]+)/' - r'(?P[0-9A-Za-z]{1,13}-[0-9A-Za-z]{1,20})/$', + r'(?P[0-9A-Za-z]{1,13}-[0-9A-Za-z]{1,32})/$', auth_views.PasswordResetConfirmView.as_view(), name='password_reset_confirm', ), diff --git a/releasenotes/notes/issue-394-722c1e6384684469.yaml b/releasenotes/notes/issue-394-722c1e6384684469.yaml new file mode 100644 index 00000000..eda4f12c --- /dev/null +++ b/releasenotes/notes/issue-394-722c1e6384684469.yaml @@ -0,0 +1,6 @@ +--- +fixes: + - | + Fixed a compatability issue with Django 3.1 that prevented users from + resetting their password. + (`#394 `__)