django-sesame: SESAME_ONE_TIME failing
I’ve set up a test for token re-use with SESAME_ONE_TIME set to True and I’m running the following test:
def test_reuse(self):
alice = User.objects.create_user(username='alice@bar.com', password='foobar123')
token = get_parameters(alice)['url_auth_token']
assert token
user = authenticate(url_auth_token=token)
assert user == alice
user = authenticate(url_auth_token=token)
assert user is None # fails: user still alice
The issue appears to be that user.last_login remains None after authenticate is being called and therefore in backends.py:97
if self.one_time:
value += str(user.last_login)
does not lead to a change in get_revocation_key.
I wonder: is my assumption wrong that authenticate should count as a login in therefore invalidate the token? Or should I be using a different mechanism to use and invalidate the token?
Thanks a lot!
About this issue
- Original URL
- State: closed
- Created 5 years ago
- Comments: 16 (8 by maintainers)
Commits related to this issue
- Update user.last_login in get_user(request). Fix #29. — committed to aaugustin/django-sesame by aaugustin 5 years ago
- Update user.last_login in get_user(request). Attempt to avoid performance issues by doing the right thing by default: update it only for one-time tokens. Fix #29. — committed to aaugustin/django-sesame by aaugustin 5 years ago
I pushed version 1.7 which includes this fix.