do not store username in password reset tokens (#49131)

2020-12-18 14:49:20 +01:00 · 2020-12-18 14:49:20 +01:00 · f904f03a57
parent 71183a9730
commit f904f03a57
2 changed files with 3 additions and 4 deletions
--- a/src/authentic2/utils/init.py
+++ b/src/authentic2/utils/init.py
@ -806,8 +806,8 @@ def build_reset_password_url(user, request=None, next_url=None, set_random_passw
        user.save()
    lifetime = settings.PASSWORD_RESET_TIMEOUT_DAYS * 3600 * 24
    # invalidate any token associated with this user
-    Token.objects.filter(kind='pw-reset', content__user=user.pk, content__email=user.email, content__username=user.username).delete()
-    token = Token.create('pw-reset', {'user': user.pk, 'email': user.email, 'username': user.username}, duration=lifetime)
+    Token.objects.filter(kind='pw-reset', content__user=user.pk, content__email=user.email).delete()
+    token = Token.create('pw-reset', {'user': user.pk, 'email': user.email}, duration=lifetime)
    reset_url = make_url(
        'password_reset_confirm',
        kwargs={'token': token.uuid_b64url},
--- a/src/authentic2/views.py
+++ b/src/authentic2/views.py
@ -680,8 +680,7 @@ class PasswordResetView(FormView):

        # if an email has already been sent, warn once before allowing resend
        token = models.Token.objects.filter(
-            Q(content__email__iexact=email) | Q(content__username__iexact=email),
-            kind='pw-reset', expires__gt=timezone.now()
+            kind='pw-reset', content__email=email, expires__gt=timezone.now()
        ).exists()
        resend_key = 'pw-reset-allow-resend'
        if app_settings.A2_TOKEN_EXISTS_WARNING and token and not self.request.session.get(resend_key):