Opened 2 years ago

Closed 2 years ago

Last modified 2 years ago

#31913 closed Bug (invalid)

PasswordResetConfirmView results in NoReverseMarch

Reported by: Bruno Vermeulen Owned by: nobody
Component: contrib.auth Version: 3.1
Severity: Normal Keywords:
Cc: Triage Stage: Unreviewed
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

In version 3.1 following test results in error:

    def test_view_function(self):
        view = resolve('/reset/{uidb64}/{token}/'.format(
            uidb64=self.uid, token=self.token))
        self.assertEqual(view.func.view_class, auth_views.PasswordResetConfirmView)

error:

django.urls.exceptions.NoReverseMatch: Reverse for 'password_reset_confirm' with keyword arguments '{'uidb64': 'MjY', 'token': 'a8w0ur-101d1596f3731a280668ba6c7f27cee5'}' not found. 1 pattern(s) tried: ['reset/(?P<uidb64>[0-9A-Za-z_\\-]+)/(?P<token>[0-9A-Za-z]{1,13}-[0-9A-Za-z]{1,20})/$']

urls.py is

    re_path(r'^reset/(?P<uidb64>[0-9A-Za-z_\-]+)/(?P<token>[0-9A-Za-z]{1,13}-[0-9A-Za-z]{1,20})/$', 
            auth_views.PasswordResetConfirmView.as_view(
                template_name='accounts/password_reset_confirm.html'),
            name='password_reset_confirm'),

same code in Django 3.09 runs just fine

Change History (5)

comment:1 Changed 2 years ago by Mariusz Felisiak

Component: Uncategorizedcontrib.auth
Resolution: invalid
Status: newclosed
Summary: url PasswordResetConfirmView results in NoReverseMarchPasswordResetConfirmView results in NoReverseMarch

In Django 3.1, the password reset mechanism uses the SHA-256 hashing algorithm for tokens, see da4923ea87124102aae4455e947ce24599c0365b. You're regexp is too strict, you should use path('reset/<uidb64>/<token>/', ...) as documented.

comment:2 in reply to:  1 Changed 2 years ago by Phil Gyford

Replying to felixxm:

There's a comment on PasswordResetTokenGenerator._make_token_with_timestamp() that reads:

# Limit to 20 characters to shorten the URL.

I assume this used to be the case but, given the URL rule was changed to be more forgiving, that it's no longer true. It did confuse me when I was trying to figure out why my own URL rule was no longer matching, like the reporter's.

I assume the comment should be changed (is the length 32 characters now?). Sorry, I'm not sure if this should be a new Ticket (I'm new here).

comment:3 Changed 2 years ago by Mariusz Felisiak

Phil Gyford, good catch. Ticket is not required for small cleanups, I would update to # Limit to shorten the URL.. Would you like to provide a patch?

comment:4 in reply to:  3 Changed 2 years ago by Phil Gyford

Replying to felixxm:

Thanks - done!

comment:5 Changed 2 years ago by Mariusz Felisiak <felisiak.mariusz@…>

In e02738b:

Refs #31913 -- Corrected comment in PasswordResetTokenGenerator.

Follow up to da4923ea87124102aae4455e947ce24599c0365b.

Note: See TracTickets for help on using tickets.
Back to Top