Opened 14 months ago
Closed 14 months ago
#34876 closed Cleanup/optimization (duplicate)
Allow password reset token generator to configure timeouts
| Reported by: | Jake Howard | Owned by: | nobody |
|---|---|---|---|
| Component: | contrib.auth | Version: | 4.2 |
| Severity: | Normal | Keywords: | |
| Cc: | Triage Stage: | Unreviewed | |
| Has patch: | no | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description
Currently, django.contrib.auth.tokens.PasswordResetTokenGenerator uses settings.PASSWORD_RESET_TIMEOUT for the timeout value for a token.
In much the same way as the secret key(s) and hash algorithm used are configurable through instance attributes, it'd be very convenient if the timeout was too (defaulting to settings.PASSWORD_RESET_TIMEOUT, of course). The token generator is a generic and useful token generator, and it can be helpful to use elsewhere. This is the only piece of configuration tied to password reset which isn't easily reconfigured.
A potential extension might be to pass the user into the getter for the token generator, allowing the timeout to be configured on a per-user basis (eg require admins to use the link sooner). A very niche feature, but trivial to implement during this refactor.
Change History (1)
comment:1 by , 14 months ago
| Has patch: | unset |
|---|---|
| Resolution: | → duplicate |
| Status: | new → closed |
Duplicate of #30423.