#34876: Allow password reset token generator to configure timeouts
------------------------------------------------+------------------------
Reporter: Jake Howard | Owner: nobody
Type: Cleanup/optimization | Status: new
Component: contrib.auth | Version: 4.2
Severity: Normal | Keywords:
Triage Stage: Unreviewed | Has patch: 1
Needs documentation: 0 | Needs tests: 0
Patch needs improvement: 0 | Easy pickings: 0
UI/UX: 0 |
------------------------------------------------+------------------------
Currently, `django.contrib.auth.tokens.PasswordResetTokenGenerator` uses
`settings.PASSWORD_RESET_TIMEOUT` for the timeout value for a token.
In much the same way as the secret key(s) and hash algorithm used are
configurable through instance attributes, it'd be very convenient if the
timeout was too (defaulting to `settings.PASSWORD_RESET_TIMEOUT`, of
course). The token generator is a generic and useful token generator, and
it can be helpful to use elsewhere. This is the only piece of
configuration tied to password reset which isn't easily reconfigured.
A potential extension might be to pass the user into the getter for the
token generator, allowing the timeout to be configured on a per-user basis
(eg require admins to use the link sooner). A very niche feature, but
trivial to implement during this refactor.
--
Ticket URL: <https://code.djangoproject.com/ticket/34876>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-updates/0107018ad77f76a5-3d71340b-cb7c-4379-85eb-2243ea64f2f6-000000%40eu-central-1.amazonses.com.
