invalidate_previous_tokens should be post_save to avoid infinite recursion

[lee-hodg]

In https://github.com/aaronn/django-rest-framework-passwordless/blob/master/drfpasswordless/signals.py#L13 your doc string says post_save, which I believe is a correct implementation, but the actual code uses pre_save.

With pre_save I am seeing infinite loops whenever the user has more than 1 active tokens already. The pre_save calls save, which in turn invokes pre_save, but active_tokens = CallbackToken.objects.active().filter(user=instance.user).exclude(id=instance.id) grabs the same tokens from the database (as we are pre-save so the is_active=False hasn't yet been comitted). This once again invokes another save->pre_save->save until maximum recursion limit is hit....

[lee-hodg]

This happens when somehow 2 tokens have ended up with is_active=True, then when CallbackToken.objects.create(user=user, to_alias_type='EMAIL', to_alias=getattr(user, 'email')) is run and it triggers the signal handler it gets into a loop.

To avoid this, maybe it could just be

    if isinstance(instance, CallbackToken):
        CallbackToken.objects.active().filter(user=instance.user).exclude(id=instance.id)\
            .update(is_active=False)

[aaronn]

Should be fixed in 1.5 5775f5e