#34876: Allow password reset token generator to configure timeouts ------------------------------------------------+------------------------ Reporter: Jake Howard | Owner: nobody Type: Cleanup/optimization | Status: new Component: contrib.auth | Version: 4.2 Severity: Normal | Keywords: Triage Stage: Unreviewed | Has patch: 1 Needs documentation: 0 | Needs tests: 0 Patch needs improvement: 0 | Easy pickings: 0 UI/UX: 0 | ------------------------------------------------+------------------------ Currently, `django.contrib.auth.tokens.PasswordResetTokenGenerator` uses `settings.PASSWORD_RESET_TIMEOUT` for the timeout value for a token.
In much the same way as the secret key(s) and hash algorithm used are configurable through instance attributes, it'd be very convenient if the timeout was too (defaulting to `settings.PASSWORD_RESET_TIMEOUT`, of course). The token generator is a generic and useful token generator, and it can be helpful to use elsewhere. This is the only piece of configuration tied to password reset which isn't easily reconfigured. A potential extension might be to pass the user into the getter for the token generator, allowing the timeout to be configured on a per-user basis (eg require admins to use the link sooner). A very niche feature, but trivial to implement during this refactor. -- Ticket URL: <https://code.djangoproject.com/ticket/34876> Django <https://code.djangoproject.com/> The Web framework for perfectionists with deadlines. -- You received this message because you are subscribed to the Google Groups "Django updates" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-updates+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/django-updates/0107018ad77f76a5-3d71340b-cb7c-4379-85eb-2243ea64f2f6-000000%40eu-central-1.amazonses.com.