confirmation: Change confirmation keys to have length 24.

confirmation/models.py

@@ -2,6 +2,8 @@
 
 # Copyright: (c) 2008, Jarek Zgoda <jarek.zgoda@gmail.com>
 
+from __future__ import absolute_import
+
 __revision__ = '$Id: models.py 28 2009-10-22 15:03:02Z jarek.zgoda $'
 
 import datetime
@@ -17,11 +19,16 @@ from django.utils.timezone import now as timezone_now
 from zerver.lib.send_email import send_email
 from zerver.lib.utils import generate_random_token
 from zerver.models import PreregistrationUser, EmailChangeStatus
+from random import SystemRandom
+from six.moves import range
+import string
 from typing import Any, Dict, Optional, Text, Union
 
 def generate_key():
     # type: () -> str
-    return generate_random_token(40)
+    generator = SystemRandom()
+    # 24 characters * 5 bits of entropy/character = 120 bits of entropy
+    return ''.join(generator.choice(string.ascii_lowercase + string.digits) for _ in range(24))
 
 def get_object_from_key(confirmation_key):
     # type: (str) -> Union[bool, PreregistrationUser, EmailChangeStatus]

zerver/lib/test_helpers.py

@@ -196,7 +196,7 @@ def make_client(name):
 def find_key_by_email(address):
     # type: (Text) -> Optional[Text]
     from django.core.mail import outbox
-    key_regex = re.compile("accounts/do_confirm/([a-f0-9]{40})>")
+    key_regex = re.compile("accounts/do_confirm/([a-z0-9]{24})>")
     for message in reversed(outbox):
         if address in message.to:
             return key_regex.search(message.body).groups()[0]

zerver/tests/test_auth_backends.py

@@ -997,7 +997,7 @@ class GoogleSubdomainLoginTest(GoogleOAuthTest):
             confirmation = Confirmation.objects.all().first()
             url = confirmation_url(confirmation.confirmation_key, realm.host, Confirmation.USER_REGISTRATION)
             result = self.client_get(url)
-            key_match = re.search('value="(?P<key>[0-9a-f]+)" name="key"', result.content.decode("utf-8"))
+            key_match = re.search('value="(?P<key>[0-9a-z]+)" name="key"', result.content.decode("utf-8"))
             result = self.client_post('/accounts/register/',
                                       {'full_name': "New User",
                                        'password': 'test_password',
@@ -1045,7 +1045,7 @@ class GoogleLoginTest(GoogleOAuthTest):
         url = confirmation_url(confirmation.confirmation_key,
                                settings.EXTERNAL_HOST, Confirmation.USER_REGISTRATION)
         result = self.client_get(url)
-        key_match = re.search('value="(?P<key>[0-9a-f]+)" name="key"', result.content.decode("utf-8"))
+        key_match = re.search('value="(?P<key>[0-9a-z]+)" name="key"', result.content.decode("utf-8"))
         result = self.client_post('/accounts/register/',
                                   {'full_name': "New User",
                                    'password': 'test_password',

zerver/tests/test_management_commands.py

@@ -163,7 +163,7 @@ class TestGenerateRealmCreationLink(ZulipTestCase):
         # type: () -> None
         with self.settings(OPEN_REALM_CREATION=False):
             generated_link = generate_realm_creation_url()
-            key = generated_link[-40:]
+            key = generated_link[-24:]
             # Manually expire the link by changing the date of creation
             obj = RealmCreationKey.objects.get(creation_key=key)
             obj.date_created = obj.date_created - timedelta(days=settings.REALM_CREATION_LINK_VALIDITY_DAYS + 1)