Skip to content

There's an infinitesimally small possibility an existing token gets overwritten. #9250

New issue
New issue
Open
Open
There's an infinitesimally small possibility an existing token gets overwritten.#9250
@CharString

Description

@CharString
CharString
opened on Feb 9, 2024

django-rest-framework/rest_framework/authtoken/models.py

Lines 9 to 37 in 5ad467a

class Token(models.Model):
"""
The default authorization token model.
"""
key = models.CharField(_("Key"), max_length=40, primary_key=True)
user = models.OneToOneField(
settings.AUTH_USER_MODEL, related_name='auth_token',
on_delete=models.CASCADE, verbose_name=_("User")
)
created = models.DateTimeField(_("Created"), auto_now_add=True)
class Meta:
# Work around for a bug in Django:
# https://code.djangoproject.com/ticket/19422
#
# Also see corresponding ticket:
# https://github.com/encode/django-rest-framework/issues/705
abstract = 'rest_framework.authtoken' not in settings.INSTALLED_APPS
verbose_name = _("Token")
verbose_name_plural = _("Tokens")
def save(self, *args, **kwargs):
if not self.key:
self.key = self.generate_key()
return super().save(*args, **kwargs)
@classmethod
def generate_key(cls):
return binascii.hexlify(os.urandom(20)).decode()

The sample space is large 2 ** (8 * 20), but the probability is not 0 that generate_key returns a key that already exists, and then the save would update the existing one.

The smallest change, turns this into an integrity error:

     def save(self, *args, **kwargs): 
         if not self.key: 
             self.key = self.generate_key()
             kwargs["force_insert"] = True
         return super().save(*args, **kwargs)

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions