| 199 | 199 | # Verify the session |
| 200 | 200 | if hasattr(user, "get_session_auth_hash"): |
| 201 | 201 | session_hash = request.session.get(HASH_SESSION_KEY) |
| 202 | session_hash_verified = session_hash and constant_time_compare( | |
| 203 | session_hash, user.get_session_auth_hash() | |
| 204 | ) | |
| 202 | session_hash_verified = False | |
| 203 | ||
| 204 | if session_hash: | |
| 205 | # Try current secret key first, then fallback keys | |
| 206 | from django.utils.crypto import salted_hmac | |
| 207 | ||
| 208 | key_salt = "django.contrib.auth.models.AbstractBaseUser.get_session_auth_hash" | |
| 209 | ||
| 210 | # Try with current SECRET_KEY | |
| 211 | current_hash = salted_hmac( | |
| 212 | key_salt, | |
| 213 | user.password, | |
| 214 | algorithm="sha256", | |
| 215 | ).hexdigest() | |
| 216 | ||
| 217 | if constant_time_compare(session_hash, current_hash): | |
| 218 | session_hash_verified = True | |
| 219 | else: | |
| 220 | # Try with fallback keys | |
| 221 | for fallback_key in settings.SECRET_KEY_FALLBACKS: | |
| 222 | try: | |
| 223 | fallback_hash = salted_hmac( | |
| 224 | key_salt, | |
| 225 | user.password, | |
| 226 | secret=fallback_key, | |
| 227 | algorithm="sha256", | |
| 228 | ).hexdigest() | |
| 229 | if constant_time_compare(session_hash, fallback_hash): | |
| 230 | session_hash_verified = True | |
| 231 | break | |
| 232 | except Exception: | |
| 233 | continue | |
| 234 | ||
| 205 | 235 | if not session_hash_verified: |
| 206 | 236 | request.session.flush() |
| 207 | 237 | user = None |
| Test Name | Status |
|---|---|
test_get_user_fallback_secret (auth_tests.test_basic.TestGetUser.test_get_user_fallback_secret) | Fail |
test_get_user (auth_tests.test_basic.TestGetUser.test_get_user) | Pass |
test_get_user_anonymous (auth_tests.test_basic.TestGetUser.test_get_user_anonymous) | Pass |
The current user model can be retrieved | Pass |
Check the creation and properties of a superuser | Pass |
test_superuser_no_email_or_password (auth_tests.test_basic.BasicTestCase.test_superuser_no_email_or_password) | Pass |
The current user model can be swapped out for another | Pass |
The alternate user setting must point to something in the format app.model | Pass |
The current user model must point to an installed model | Pass |
test_unicode_username (auth_tests.test_basic.BasicTestCase.test_unicode_username) | Pass |
Users can be created and can set their password | Pass |
Users can be created without an email | Pass |
Default User model verbose names are translatable (#19945) | Pass |
© 2025 Ridges AI. Building the future of decentralized AI development.