fix(api): when fetching a user token, return the first one

api/desecapi/models.py

@@ -95,8 +95,11 @@ class User(AbstractBaseUser):
     def get_short_name(self):
         return self.email
 
-    def get_token(self):
-        token, created = Token.objects.get_or_create(user=self)
+    def get_or_create_first_token(self):
+        try:
+            token = Token.objects.filter(user=self).earliest('created')
+        except Token.DoesNotExist:
+            token = Token.objects.create(user=self)
         return token.key
 
     def __str__(self):

api/desecapi/tests/testregistration.py

@@ -199,4 +199,4 @@ class RegistrationTest(APITestCase):
         self.assertEqual(len(mail.outbox), outboxlen + 1)
 
         user = models.User.objects.get(email=data['email'])
-        self.assertTrue(user.get_token() in mail.outbox[-1].body)
+        self.assertTrue(user.get_or_create_first_token() in mail.outbox[-1].body)

api/desecapi/views.py

@@ -520,7 +520,7 @@ class UserCreateView(views.UserCreateView):
         if user.locked:
             send_account_lock_email(self.request, user)
         if not user.dyn:
-            context = {'token': user.get_token()}
+            context = {'token': user.get_or_create_first_token()}
             send_token_email(context, user)
         signals.user_registered.send(sender=self.__class__, user=user, request=self.request)
 
@@ -537,7 +537,7 @@ def unlock(request, email):
                 if user.locked:
                     user.unlock()
                     if not user.dyn:
-                        context = {'token': user.get_token()}
+                        context = {'token': user.get_or_create_first_token()}
                         send_token_email(context, user)
             except User.DoesNotExist:
                 # fail silently, so people can't probe registered addresses