Re: [Django] #30952: KeyError: '_password_reset_token' during password reset.

Fri, 28 Aug 2020 06:49:30 -0700 

#30952: KeyError: '_password_reset_token' during password reset.
------------------------------+--------------------------------------
     Reporter:  defigor       |                    Owner:  nobody
         Type:  Bug           |                   Status:  closed
    Component:  contrib.auth  |                  Version:  2.1
     Severity:  Normal        |               Resolution:  needsinfo
     Keywords:                |             Triage Stage:  Unreviewed
    Has patch:  0             |      Needs documentation:  0
  Needs tests:  0             |  Patch needs improvement:  0
Easy pickings:  0             |                    UI/UX:  0
------------------------------+--------------------------------------

Comment (by Peter De Wachter):

 We hit this bug as well, the mechanism is a bit convoluted though. Our
 project installs a post_save receiver for the User table, for logging
 purposes. This receiver accesses request.user as part of that logging (it
 uses a middleware to get at the request), and that's the cause of the
 failure.

 What happens is this:
 - The user uses a password reset link while logged in, as described by
 Andrey Shakurov above.
 - When PasswordResetConfirmView saves the user object with the new
 password, our post_save receiver runs.
 - The post_save receiver accesses request.user.
 - There's nothing in the password reset flow that used request.user at an
 earlier point, so there's no cached user object.
 - So auth.get_user() gets called. get_user() will attempt validate the
 session hash. But that will fail: even if the hash was valid before (not
 necessarily the case), it will certainly be invalid after the password
 change. So it flushes the session!
 - Our post_save code finishes and the save completes.
 - Then the view tries to delete the session field, which no longer exists,
 because the session was flushed. So we get the KeyError.

 I think the simplest solution is to explicitly log out the user when he
 accesses a password reset link.
 I've submitted a PR: https://github.com/django/django/pull/13360

-- 
Ticket URL: <https://code.djangoproject.com/ticket/30952#comment:5>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/065.a3ef5aafacdd110d27095c07b836be17%40djangoproject.com.

Reply via email to