diff --git a/accounts/auth_remember_utils.py b/accounts/auth_remember_utils.py index 1a3fed3e..2b296cd2 100644 --- a/accounts/auth_remember_utils.py +++ b/accounts/auth_remember_utils.py @@ -1,10 +1,9 @@ # -*- coding: utf-8 -*- from __future__ import unicode_literals -import uuid +import secrets from django.contrib import auth as django_auth -from django.contrib.auth.hashers import make_password from .accounts_settings import COOKIE_AGE, COOKIE_NAME from common_utils.cookies import set_cookie @@ -12,15 +11,14 @@ def create_token_string(user, token=None): from .models import RememberToken - token_value = uuid.uuid4().hex - token_hash = make_password(token_value) + token_hash = secrets.token_urlsafe(64) token = RememberToken( token_hash=token_hash, user=user ) token.save() - return '%d:%s' % (user.id, token_value) + return '%d:%s' % (user.id, token_hash) def preset_cookie(request, token_string): diff --git a/accounts/models.py b/accounts/models.py index 0ecfb64e..6f123ca8 100644 --- a/accounts/models.py +++ b/accounts/models.py @@ -4,7 +4,6 @@ from django.apps import apps from django.conf import settings -from django.contrib.auth.hashers import check_password from django.contrib.auth.models import AbstractUser, UserManager from django.core.exceptions import ValidationError from django.core.serializers.json import DjangoJSONEncoder @@ -185,15 +184,12 @@ class Meta: class RememberTokenManager(models.Manager): def get_by_string(self, token): try: - user_id, token_hash = token.split(':') + user_id, token_hash = token.split(':', 1) except ValueError: return None max_age = timezone.now() - timedelta(seconds=accounts_settings.COOKIE_AGE) - for db_token in self.all().filter(created__gte=max_age, user=user_id): - if check_password(token_hash, db_token.token_hash): - return db_token - return None + return self.filter(created__gte=max_age, user=user_id, token_hash=token_hash).first() def clean_remember_tokens(self): max_age = timezone.now() - timedelta(seconds=accounts_settings.COOKIE_AGE)