feat(accounts): include API token reset on password change#19057
feat(accounts): include API token reset on password change#19057nijel merged 1 commit intoWeblateOrg:mainfrom
Conversation
![chatgpt-codex-connector[bot]](https://avatars.github.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 048585d13e
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
There was a problem hiding this comment.
Pull request overview
This PR updates the account password-change/reset flows to optionally revoke and regenerate the user’s DRF API token, defaulting to regeneration to better protect users in compromise scenarios.
Changes:
- Added API token helper utilities (
create_api_token,delete_api_tokens,reset_api_token) and reused them across account flows. - Extended
SetPasswordFormwith a “Regenerate API key” checkbox (default enabled) and resets the token on password change/reset when enabled. - Updated tests and changelog entry to reflect the new default behavior.
Reviewed changes
Copilot reviewed 7 out of 7 changed files in this pull request and generated no comments.
Show a summary per file
| File | Description |
|---|---|
weblate/accounts/views.py |
Refactors the “reset API key” endpoint to use the shared reset_api_token() helper. |
weblate/accounts/utils.py |
Introduces centralized API token creation/deletion/reset helpers and reuses deletion during user removal. |
weblate/accounts/models.py |
Reuses shared token creation helper during user-profile creation to avoid duplicating token generation logic. |
weblate/accounts/forms.py |
Adds the “Regenerate API key” option to password changes/resets and performs the reset when enabled. |
weblate/accounts/tests/test_views.py |
Verifies password change regenerates the API token when requested, and preserves it when not. |
weblate/accounts/tests/test_registration.py |
Updates registration/password-reset tests to cover default regeneration and explicit “keep key” behavior. |
docs/changes.rst |
Documents the new default behavior (API key regeneration on password updates). |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
|
The latest updates on your projects. Learn more about Argos notifications ↗︎
|
When the password change is triggered by a compromise user might not realize that the API token might be compromised as well.
When the password change is triggered by a compromise user might not realize that the API token might be compromised as well.