urls: use uuid routing parameter for sms code opaque urls (#88044)

src/authentic2/urls.py

@@ -57,8 +57,8 @@ accounts_urlpatterns = [
     path('change-email/', views.email_change, name='email-change'),
     path('change-email/verify/', views.email_change_verify, name='email-change-verify'),
     path('change-phone/', views.phone_change, name='phone-change'),
-    re_path(
-        'change-phone/verify/(?P<token>[A-Za-z0-9_ -]+)/$',
+    path(
+        'change-phone/verify/<uuid:token>/',
         views.phone_change_verify,
         name='phone-change-verify',
     ),
@@ -120,8 +120,8 @@ urlpatterns = [
         TemplateView.as_view(template_name='registration/registration_closed.html'),
         name='registration_disallowed',
     ),
-    re_path(
-        '^register/input_code/(?P<token>[A-Za-z0-9_ -]+)/$',
+    path(
+        'register/input_code/<uuid:token>/',
         views.input_sms_code,
         name='input_sms_code',
     ),

src/authentic2/views.py

@@ -415,9 +415,7 @@ phone_change = login_required(PhoneChangeView.as_view())
 
 class PhoneChangeVerifyView(TemplateView):
     def get(self, request, *args, **kwargs):
-        token = kwargs['token'].replace(' ', '')
-        if not token:
-            return shortcuts.redirect('phone-change')
+        token = kwargs['token']
         authn = utils_misc.get_password_authenticator()
         user_ct = ContentType.objects.get_for_model(get_user_model())
         try:
@@ -1628,11 +1626,11 @@ class InputSMSCodeView(cbv.ValidateCSRFMixin, FormView):
     title = _('SMS code validation')
 
     def dispatch(self, request, *args, **kwargs):
-        token = kwargs.get('token')
+        token = kwargs['token']
         try:
             self.code = models.SMSCode.objects.get(url_token=token)
         except models.SMSCode.DoesNotExist:
-            return HttpResponseBadRequest(_('Invalid request'))
+            raise Http404(_('Invalid token'))
         return super().dispatch(request, *args, **kwargs)
 
     def get_context_data(self, **kwargs):

tests/test_change_phone.py

@@ -281,8 +281,14 @@ def test_change_phone_code_modified(app, nomail_user, user_ou1, phone_activated_
     resp.form.set('phone_1', '122446666')
     resp.form.set('password', nomail_user.username)
     resp = resp.form.submit()
-    location = resp.location[:-5] + 'abcd/'  # oops, something went wrong with the url token
-    app.get(location, status=400)
+    location = resp.location[:-5] + 'wxyz/'  # oops, something went wrong with the url token
+    app.get(location, status=404)
+    assert not Token.objects.count()
+
+    location = (
+        resp.location[:-5] + 'abcd/'
+    )  # oops, something went wrong again although it's a valid uuid format
+    app.get(location, status=404)
     assert not Token.objects.count()
 
 

tests/test_registration.py

@@ -1026,6 +1026,25 @@ def test_phone_registration_wrong_code(app, db, settings, phone_activated_authn)
     assert resp.pyquery('li')[0].text_content() == 'Wrong SMS code.'
 
 
+@responses.activate
+def test_phone_registration_wrong_input_code_opaque_url(app, db, settings, phone_activated_authn):
+    settings.SMS_URL = 'https://foo.whatever.none/'
+    responses.post('https://foo.whatever.none/', status=200)
+
+    resp = app.get(reverse('registration_register'))
+    resp.form.set('phone_1', '612345678')
+    resp = resp.form.submit()
+    location = resp.location[:-5] + 'wxyz/'  # oops, something went wrong with the url token
+    app.get(location, status=404)
+    assert not Token.objects.count()
+
+    location = (
+        resp.location[:-5] + 'abcd/'
+    )  # oops, something went wrong again although it's a valid uuid format
+    app.get(location, status=404)
+    assert not Token.objects.count()
+
+
 @responses.activate
 def test_phone_registration_expired_code(app, db, settings, freezer, phone_activated_authn):
     settings.SMS_URL = 'https://foo.whatever.none/'