#34876 closed Cleanup/optimization (duplicate)

Allow password reset token generator to configure timeouts

Reported by: Jake Howard Owned by: nobody
Component: contrib.auth Version: 4.2
Severity: Normal Keywords:
Cc: Triage Stage: Unreviewed
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

Currently, django.contrib.auth.tokens.PasswordResetTokenGenerator uses settings.PASSWORD_RESET_TIMEOUT for the timeout value for a token.

In much the same way as the secret key(s) and hash algorithm used are configurable through instance attributes, it'd be very convenient if the timeout was too (defaulting to settings.PASSWORD_RESET_TIMEOUT, of course). The token generator is a generic and useful token generator, and it can be helpful to use elsewhere. This is the only piece of configuration tied to password reset which isn't easily reconfigured.

A potential extension might be to pass the user into the getter for the token generator, allowing the timeout to be configured on a per-user basis (eg require admins to use the link sooner). A very niche feature, but trivial to implement during this refactor.

Change History (1)

comment:1 by Mariusz Felisiak, 15 months ago

Has patch: unset
Resolution: duplicate
Status: newclosed

Duplicate of #30423.

Note: See TracTickets for help on using tickets.
Back to Top