Opened 15 months ago
Closed 15 months ago
#34876 closed Cleanup/optimization (duplicate)
Allow password reset token generator to configure timeouts
Reported by: | Jake Howard | Owned by: | nobody |
---|---|---|---|
Component: | contrib.auth | Version: | 4.2 |
Severity: | Normal | Keywords: | |
Cc: | Triage Stage: | Unreviewed | |
Has patch: | no | Needs documentation: | no |
Needs tests: | no | Patch needs improvement: | no |
Easy pickings: | no | UI/UX: | no |
Description
Currently, django.contrib.auth.tokens.PasswordResetTokenGenerator
uses settings.PASSWORD_RESET_TIMEOUT
for the timeout value for a token.
In much the same way as the secret key(s) and hash algorithm used are configurable through instance attributes, it'd be very convenient if the timeout was too (defaulting to settings.PASSWORD_RESET_TIMEOUT
, of course). The token generator is a generic and useful token generator, and it can be helpful to use elsewhere. This is the only piece of configuration tied to password reset which isn't easily reconfigured.
A potential extension might be to pass the user into the getter for the token generator, allowing the timeout to be configured on a per-user basis (eg require admins to use the link sooner). A very niche feature, but trivial to implement during this refactor.
Change History (1)
comment:1 by , 15 months ago
Has patch: | unset |
---|---|
Resolution: | → duplicate |
Status: | new → closed |
Duplicate of #30423.