Update authentication, remove old salt/unsalt compat from django 1.10

tastypie/authentication.py

@@ -9,13 +9,13 @@
 from django.conf import settings
 from django.contrib.auth import authenticate
 from django.core.exceptions import ImproperlyConfigured
-from django.middleware.csrf import _sanitize_token, constant_time_compare
+from django.middleware.csrf import _sanitize_token, _compare_masked_tokens
 from django.utils.translation import ugettext as _
 
 from six.moves.urllib.parse import urlparse
 
 from tastypie.compat import (
-    get_user_model, get_username_field, unsalt_token, is_authenticated
+    get_user_model, get_username_field, is_authenticated
 )
 from tastypie.http import HttpUnauthorized
 
@@ -327,8 +327,7 @@ def is_authenticated(self, request, **kwargs):
         request_csrf_token = request.META.get('HTTP_X_CSRFTOKEN', '')
         request_csrf_token = _sanitize_token(request_csrf_token)
 
-        if not constant_time_compare(unsalt_token(request_csrf_token),
-                                     unsalt_token(csrf_token)):
+        if not _compare_masked_tokens(request_csrf_token, csrf_token):
             return False
 
         return is_authenticated(request.user)

tastypie/compat.py

@@ -33,20 +33,6 @@ def get_module_name(meta):
 
 atomic_decorator = django.db.transaction.atomic
 
-# Compatability for salted vs unsalted CSRF tokens;
-# Django 1.10's _sanitize_token also hashes it, so it can't be compared directly.
-# Solution is to call _sanitize_token on both tokens, then unsalt or noop both
-try:
-    from django.middleware.csrf import _unsalt_cipher_token
-
-    def unsalt_token(token):
-        return _unsalt_cipher_token(token)
-except ImportError:
-
-    def unsalt_token(token):
-        return token
-
-
 # force_text deprecated in 2.2, removed in 3.0
 # note that in 1.1.x, force_str and force_text both exist, but force_str behaves
 # much differently on python 3 than python 2.