bennylope / django-organizations

RegistrationTokenGenerator subclasses PasswordResetTokenGenerator:

django-organizations/organizations/backends/tokens.py

Line 35 in a779c41

class RegistrationTokenGenerator(PasswordResetTokenGenerator):

The generated token is matched against a URL in get_urls() of the various backends:

django-organizations/organizations/backends/defaults.py

Line 222 in a779c41

r"^(?P<user_id>[\d]+)-(?P<token>[0-9A-Za-z]{1,13}-[0-9A-Za-z]{1,20})/$",

django-organizations/organizations/backends/defaults.py

Line 325 in a779c41

r"^(?P<user_id>[\d]+)-(?P<token>[0-9A-Za-z]{1,13}-[0-9A-Za-z]{1,20})/$",

However, the token portion of the code is very aggressively matching against (?P<token>[0-9A-Za-z]{1,13}-[0-9A-Za-z]{1,20}).

In Django 3.1, the token generation algorithm has changed:

django/django#12374

Django too changed its path matching to just match an arbitrary chunk of text, rather than the very specific (?P<token>[0-9A-Za-z]{1,13}-[0-9A-Za-z]{1,20}).

Thank you, this is a mild bummer but a really helpful description.

django-organizations/organizations/backends/tokens.py

Lines 68 to 69 in 005df1f

    
           if (self._num_days(self._today()) - ts) > REGISTRATION_TIMEOUT_DAYS: 
        
               return False

This is also a problem, _num_days is gone in 3.1:
django/django@226ebb1#diff-d992e9c01fee91337af54701e0dd8125

	if (self._num_days(self._today()) - ts) > REGISTRATION_TIMEOUT_DAYS:
	return False

Token URL matching too specific, breaks in Django 3.1