Prevent incorrect usage of Token.for_user

[pchiquet]

Attempt to address #779

• for_validated_user() replaces current for_user() method (no functionality change, it is just a rename)
• for_user() now checks user.is_active flag thanks the api_settings.USER_AUTHENTICATION_RULE callable

[sevdog]

It is still possible to call the .for_validated_user method on every user (also disabled ones).

[pchiquet]

It is still possible to call the .for_validated_user method on every user (also disabled ones).

yes, because for_validated_user is just a rename of the old for_user method.

What has changed:

• for_validated_user is not documented (whereas for_user is mentioned in the documentation)
• for_validated_user naming suggests that the user must be validated before using the method

[hakan-77]

We have the security issue alerting for almost 4 months now:
GHSA-5vcc-86wm-547q

Is there anything to be done to accelerate the merge and shipping of the new version?

[lokeshwarobuli]

We have the security issue alerting for almost 4 months now: GHSA-5vcc-86wm-547q

Is there anything to be done to accelerate the merge and shipping of the new version?

+1 can we get this shipped ??

[nahue]

We have the security issue alerting for almost 4 months now: GHSA-5vcc-86wm-547q

Is there anything to be done to accelerate the merge and shipping of the new version?

+1

[hakan-77]

Hi @nils-van-zuijlen is there anything remaining for this to be merged?

[nils-van-zuijlen]

Hi @nils-van-zuijlen is there anything remaining for this to be merged?

I do not know, I'm not a member / I don't have merge rights.

[sevdog]

This PR probabily is not going to be merged.

Please read these comments on the original issue: #779 (comment) and #779 (comment)

TL; DR: if you do not use JWTStatelessUserAuthentication you are not vulnerable, the advisory was incomplete.