Fixes #21117: Avoid exception when attempting to create v2 token without API_TOKEN_PEPPERS defined

2026-01-12 14:52:17 -06:00 · 2026-01-12 10:36:10 -05:00
parent 3624b88c3f
commit a066120375
2 changed files with 14 additions and 1 deletions
--- a/netbox/users/models/tokens.py
+++ b/netbox/users/models/tokens.py
@@ -213,6 +213,9 @@ class Token(models.Model):
    def clean(self):
        super().clean()

+        if self.version == TokenVersionChoices.V2 and not settings.API_TOKEN_PEPPERS:
+            raise ValidationError(_("Unable to save v2 tokens: API_TOKEN_PEPPERS is not defined."))
+
        if self._state.adding:
            if self.pepper_id is not None and self.pepper_id not in settings.API_TOKEN_PEPPERS:
                raise ValidationError(_(
--- a/netbox/users/tests/test_models.py
+++ b/netbox/users/tests/test_models.py
@@ -1,9 +1,10 @@
 from datetime import timedelta

 from django.core.exceptions import ValidationError
-from django.test import TestCase
+from django.test import TestCase, override_settings
 from django.utils import timezone

+from users.choices import TokenVersionChoices
 from users.models import User, Token
 from utilities.testing import create_test_user

@@ -94,6 +95,15 @@ class TokenTest(TestCase):
        token.refresh_from_db()
        self.assertEqual(token.description, 'New Description')

+    @override_settings(API_TOKEN_PEPPERS={})
+    def test_v2_without_peppers_configured(self):
+        """
+        Attempting to save a v2 token without API_TOKEN_PEPPERS defined should raise a ValidationError.
+        """
+        token = Token(version=TokenVersionChoices.V2)
+        with self.assertRaises(ValidationError):
+            token.clean()
+

 class UserConfigTest(TestCase):