urls: Support sha256-based tokens

Django 3.1 changed the default hashing algorithm used for things like
password reset tokens from SHA-1 to SHA-256. As noted in the release
notes [1], this is configurable via the 'DEFAULT_HASHING_ALGORITHM'
transitional setting, but that's only intended to allow upgrades of
multiple instances in a HA deployment and shouldn't be used post
upgrade. Instead, we need to fix our URLs to support the longer tokens
generated by SHA-256.

Long term, we want to replace these regex-based routes with the simpler
flask-style template string routes. That's not really backportable so
we'll do that separately.

[1] https://docs.djangoproject.com/en/3.1/releases/3.1/#default-hashing-algorithm-settings

Signed-off-by: Stephen Finucane <stephen@that.guru>
Closes: #394
(cherry picked from commit 8d988f15b8a3c433aa385de7e5ba5129fdba4f40)

diff --git a/patchwork/urls.py b/patchwork/urls.py
index 79268e4e4998fd71434e8b188357d2746700c0dc..be388ac5d383b28a027eec83de88e16c1a9262b4 100644 (file)
--- a/patchwork/urls.py
+++ b/patchwork/urls.py
@@ -158,7 +158,7 @@ urlpatterns = [
     ),
     re_path(
         r'^user/password-reset/(?P<uidb64>[0-9A-Za-z_\-]+)/'
-        r'(?P<token>[0-9A-Za-z]{1,13}-[0-9A-Za-z]{1,20})/$',
+        r'(?P<token>[0-9A-Za-z]{1,13}-[0-9A-Za-z]{1,32})/$',
         auth_views.PasswordResetConfirmView.as_view(),
         name='password_reset_confirm',
     ),

diff --git a/releasenotes/notes/issue-394-722c1e6384684469.yaml b/releasenotes/notes/issue-394-722c1e6384684469.yaml
new file mode 100644 (file)
index 0000000..eda4f12
--- /dev/null
+++ b/releasenotes/notes/issue-394-722c1e6384684469.yaml
@@ -0,0 +1,6 @@
+---
+fixes:
+  - |
+    Fixed a compatability issue with Django 3.1 that prevented users from
+    resetting their password.
+    (`#394 <https://github.com/getpatchwork/patchwork/issues/394>`__)