[Django] #34876: Allow password reset token generator to configure timeouts
Django
------------------------------------------------+------------------------
Reporter: Jake Howard | Owner: nobody
Type: Cleanup/optimization | Status: new
Component: contrib.auth | Version: 4.2
Severity: Normal | Keywords:
Triage Stage: Unreviewed | Has patch: 1
Needs documentation: 0 | Needs tests: 0
Patch needs improvement: 0 | Easy pickings: 0
UI/UX: 0 |
------------------------------------------------+------------------------
Currently, `django.contrib.auth.tokens.PasswordResetTokenGenerator` uses
`settings.PASSWORD_RESET_TIMEOUT` for the timeout value for a token.
In much the same way as the secret key(s) and hash algorithm used are
configurable through instance attributes, it'd be very convenient if the
timeout was too (defaulting to `settings.PASSWORD_RESET_TIMEOUT`, of
course). The token generator is a generic and useful token generator, and
it can be helpful to use elsewhere. This is the only piece of
configuration tied to password reset which isn't easily reconfigured.
A potential extension might be to pass the user into the getter for the
token generator, allowing the timeout to be configured on a per-user basis
(eg require admins to use the link sooner). A very niche feature, but
trivial to implement during this refactor.
--
Ticket URL: <https://code.djangoproject.com/ticket/34876>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
Django
Reporter: Jake Howard | Owner: nobody
Cleanup/optimization |
Component: contrib.auth | Version: 4.2
Severity: Normal | Resolution: duplicate
Keywords: | Triage Stage:
| Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Changes (by Mariusz Felisiak):
* status: new => closed
* has_patch: 1 => 0
* resolution: => duplicate
Comment:
Duplicate of #30423.
--
Ticket URL: <https://code.djangoproject.com/ticket/34876#comment:1>