Version 4.2.0 breaks use of tokens generated with older versions

Question

Version 4.2.0 breaks use of tokens generated with older versions

Dunedan opened this issue 3 years ago · 0 comments

#193, which is included in 4.2.0, removed the usage of the salt when generating the hash digest for API tokens. That means digests generated for a token will differ depending on whether django-rest-knox<4.2.0 or django-rest-knox==4.2.0 is used, as older versions use the salt and token to generate the hash digest, while 4.2.0 only uses the token without a salt.

As django-rest-knox stores the hash digest and not the token itself, authentication with tokens generated with django-rest-knox<4.2.0 when using django-rest-knox==4.2.0 doesn't work anymore, as the hash digest generated when creating the token was generated using token and salt as input, while the one generated when checking for authentication now only uses the token as input.

Please note that this is a serious breaking change from 4.1.0 to 4.2.0 which isn't mentioned anywhere and renders all previously issued tokens invalid!