[Django] #28622: Allow password reset token to expire in under a day
Django
----------------------------------------+------------------------
Reporter: nijaaam | Owner: nobody
Type: New feature | Status: new
Component: Core (Other) | Version: master
Severity: Normal | Keywords:
Triage Stage: Unreviewed | Has patch: 0
Needs documentation: 0 | Needs tests: 0
Patch needs improvement: 0 | Easy pickings: 0
UI/UX: 0 |
----------------------------------------+------------------------
Currently, the settings only has PASSWORD_RESET_TIMEOUT_DAYS for expiring
token, which means it is impossible to set the timeout to hours/minutes.
In many applications a day is far too long and doesn't meet security
requirements
It should be possible to configure it using a timedelta for arbitrary
expires
--
Ticket URL: <https://code.djangoproject.com/ticket/28622>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
Django
Reporter: Nijamudeen | Owner: nobody
Type: New feature | Status: new
Component: Core (Other) | Version: master
Keywords: | Triage Stage: Accepted
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Changes (by Simon Charette):
* stage: Unreviewed => Accepted
Comment:
Not sure if we should allow non-integer values to be passed to
`PASSWORD_RESET_TIMEOUT_DAYS ` or deprecate the setting for a new one
which is seconds based (`PASSWORD_RESET_TIMEOUT`) but this requests make a
lot of sense.
--
Ticket URL: <https://code.djangoproject.com/ticket/28622#comment:1>
Django
Reporter: Nijamudeen | Owner: Zach Liu
Type: New feature | Status: assigned
Component: Core (Other) | Version: master
Keywords: | Triage Stage: Accepted
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Changes (by Zach Liu):
* status: new => assigned
* cc: Zach Liu (added)
* owner: nobody => Zach Liu
* needs_docs: 0 => 1
--
Ticket URL: <https://code.djangoproject.com/ticket/28622#comment:2>
Django
Reporter: Nijamudeen | Owner: Zach Liu
Type: New feature | Status: assigned
Keywords: | Triage Stage: Accepted
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Comment (by Zach Liu):
I think using PASSWORD_RESET_TIMEOUT which takes seconds makes better
sense. To support backward compatibility, I think we should keep
PASSWORD_RESET_TIMEOUT_DAYS and its default value of 3. Only use
PASSWORD_RESET_TIMEOUT when provided. Does it sound like a good idea?
--
Ticket URL: <https://code.djangoproject.com/ticket/28622#comment:3>
Django
Reporter: Nijamudeen | Owner: Zach Liu
Type: New feature | Status: assigned
Keywords: | Triage Stage: Accepted
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Comment (by Simon Charette):
Supporting `PASSWORD_RESET_TIMEOUT_DAYS` during the deprecation period
makes sense but it should eventually be supersed by
`PASSWORD_RESET_TIMEOUT`. I suggest you take a look at how the
`MIDDLEWARE_CLASSES` to `MIDDLEWARE` transition was handled to figure out
how this should be done.
--
Ticket URL: <https://code.djangoproject.com/ticket/28622#comment:4>
Django
Reporter: Nijamudeen | Owner: Zach Liu
Type: New feature | Status: assigned
Keywords: | Triage Stage: Accepted
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Comment (by Tim Graham):
Before coding, please get a consensus on how to proceed on the
DevelopersMailingList. I like readability benefits of the `timedelta`
proposal (compared to interpreting a number of seconds in a settings file,
even if that could be somewhat mitigated by writing
`PASSWORD_RESET_TIMEOUT = 60 * 60 * 24 * 3`) but I'm unsure on the best
approach.
--
Ticket URL: <https://code.djangoproject.com/ticket/28622#comment:5>
Django
Reporter: Nijamudeen | Owner: Zach Liu
Type: New feature | Status: assigned
Keywords: | Triage Stage: Accepted
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Comment (by Zach Liu):
Replying to [comment:4 Simon Charette]:
> Supporting `PASSWORD_RESET_TIMEOUT_DAYS` during the deprecation period
makes sense but it should eventually be supersed by
`PASSWORD_RESET_TIMEOUT`. I suggest you take a look at how the
`MIDDLEWARE_CLASSES` to `MIDDLEWARE` transition was handled to figure out
how this should be done.
Hi Simon, you mentioned MIDDLEWARE_CLASSES to MIDDLEWARE transition, can
you point me to where I can find the reference? Thanks.
--
Ticket URL: <https://code.djangoproject.com/ticket/28622#comment:6>
Django
Reporter: Nijamudeen | Owner: Zach Liu
Type: New feature | Status: assigned
Keywords: | Triage Stage: Accepted
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Comment (by Zach Liu):
[https://github.com/django/django/pull/9173] PR for the ticket.
--
Ticket URL: <https://code.djangoproject.com/ticket/28622#comment:7>
Django
Reporter: Nijamudeen | Owner: Zach Liu
Component: contrib.auth | Version: master
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Changes (by Tim Graham):
* component: Core (Other) => contrib.auth
* has_patch: 0 => 1
* type: New feature => Cleanup/optimization
Comment:
Please uncheck "Needs documentation" if it's added to the patch.
[https://groups.google.com/d/topic/django-
developers/65iOQunvkPY/discussion django-developers discussion]
--
Ticket URL: <https://code.djangoproject.com/ticket/28622#comment:8>
Django
Reporter: Nijamudeen | Owner: Zach Liu
Type: Cleanup/optimization | Status: assigned
Component: contrib.auth | Version: master
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 1
Easy pickings: 0 | UI/UX: 0
Comment (by Nahuel):
Hello,
About the token generation, is there any reason that is only attached to
resseting password feature ?
Shouldn't be usefull in many other cases?
I mean, this can be helpful in many other cases that need temporary auto-
login through the URL.
--
Ticket URL: <https://code.djangoproject.com/ticket/28622#comment:9>
Django
Reporter: Nijamudeen | Owner: Hasan
Type: | Ramezani
Cleanup/optimization | Status: assigned
Component: contrib.auth | Version: master
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Changes (by Hasan Ramezani):
* owner: Zach Liu => Hasan Ramezani
* needs_docs: 1 => 0
--
Ticket URL: <https://code.djangoproject.com/ticket/28622#comment:10>
Django
Reporter: Nijamudeen | Owner: Hasan
Type: | Ramezani
Cleanup/optimization | Status: assigned
Component: contrib.auth | Version: master
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Needs tests: 0 | Patch needs improvement: 1
Easy pickings: 0 | UI/UX: 0
Changes (by felixxm):
* needs_better_patch: 0 => 1
--
Ticket URL: <https://code.djangoproject.com/ticket/28622#comment:11>
Django
Reporter: Nijamudeen | Owner: Hasan
Type: | Ramezani
Component: contrib.auth | Version: master
Severity: Normal | Resolution: fixed
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 1
Easy pickings: 0 | UI/UX: 0
Changes (by Mariusz Felisiak <felisiak.mariusz@…>):
* status: assigned => closed
* resolution: => fixed
Comment:
In [changeset:"226ebb17290b604ef29e82fb5c1fbac3594ac163" 226ebb1]:
{{{
#!CommitTicketReference repository=""
revision="226ebb17290b604ef29e82fb5c1fbac3594ac163"
Fixed #28622 -- Allowed specifying password reset link expiration in
seconds and deprecated PASSWORD_RESET_TIMEOUT_DAYS.
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/28622#comment:12>
Django
Reporter: Nijamudeen | Owner: Hasan
Type: | Ramezani
Cleanup/optimization | Status: closed
Component: contrib.auth | Version: master
Severity: Normal | Resolution: fixed
Keywords: | Triage Stage: Accepted
Needs tests: 0 | Patch needs improvement: 1
Easy pickings: 0 | UI/UX: 0
Comment (by Mariusz Felisiak <felisiak.mariusz@…>):
In [changeset:"45304e444e0d780ceeb5fc03e6761569dfe17ab2" 45304e44]:
{{{
#!CommitTicketReference repository=""
revision="45304e444e0d780ceeb5fc03e6761569dfe17ab2"
Refs #28622 -- Clarified security implications of PASSWORD_RESET_TIMEOUT.
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/28622#comment:13>
Django
Reporter: Nijamudeen | Owner: Hasan
Type: | Ramezani
Cleanup/optimization | Status: closed
Component: contrib.auth | Version: master
Severity: Normal | Resolution: fixed
Keywords: | Triage Stage: Accepted
Needs tests: 0 | Patch needs improvement: 1
Easy pickings: 0 | UI/UX: 0
Comment (by Mariusz Felisiak <felisiak.mariusz@…>):
In [changeset:"d2b9a9fdbbc9b5e19b22b144d3e305b87c03b6c8" d2b9a9fd]:
{{{
#!CommitTicketReference repository=""
revision="d2b9a9fdbbc9b5e19b22b144d3e305b87c03b6c8"
Refs #28622 -- Corrected
PASSWORD_RESET_TIMEOUT/PASSWORD_RESET_TIMEOUT_DAYS docs.
Removed outdated note about an extra day in PASSWORD_RESET_TIMEOUT
docs and incorrect "minimum" phrase.
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/28622#comment:14>
Django
Reporter: Nijamudeen | Owner: Hasan
Type: | Ramezani
Cleanup/optimization | Status: closed
Component: contrib.auth | Version: master
Severity: Normal | Resolution: fixed
Keywords: | Triage Stage: Accepted
Needs tests: 0 | Patch needs improvement: 1
Easy pickings: 0 | UI/UX: 0
Comment (by Mariusz Felisiak <felisiak.mariusz@…>):
In [changeset:"12ac4916af034221a4e08ce6b5669e53a0223a67" 12ac4916]:
{{{
#!CommitTicketReference repository=""
revision="12ac4916af034221a4e08ce6b5669e53a0223a67"
Refs #28622 -- Removed settings.PASSWORD_RESET_TIMEOUT_DAYS per
deprecation timeline.
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/28622#comment:15>