#34876: Allow password reset token generator to configure timeouts
------------------------------------------------+------------------------
Reporter: Jake Howard | Owner: nobody
Type: Cleanup/optimization | Status: new
Component: contrib.auth | Version: 4.2
Severity: Normal | Keywords:
Triage Stage: Unreviewed | Has patch: 1
Needs documentation: 0 | Needs tests: 0
Patch needs improvement: 0 | Easy pickings: 0
UI/UX: 0 |
------------------------------------------------+------------------------
Currently, `django.contrib.auth.tokens.PasswordResetTokenGenerator` uses
`settings.PASSWORD_RESET_TIMEOUT` for the timeout value for a token.
In much the same way as the secret key(s) and hash algorithm used are
configurable through instance attributes, it'd be very convenient if the
timeout was too (defaulting to `settings.PASSWORD_RESET_TIMEOUT`, of
course). The token generator is a generic and useful token generator, and
it can be helpful to use elsewhere. This is the only piece of
configuration tied to password reset which isn't easily reconfigured.
A potential extension might be to pass the user into the getter for the
token generator, allowing the timeout to be configured on a per-user basis
(eg require admins to use the link sooner). A very niche feature, but
trivial to implement during this refactor.
--
Ticket URL: <https://code.djangoproject.com/ticket/34876>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to django-updates+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-updates/0107018ad77f76a5-3d71340b-cb7c-4379-85eb-2243ea64f2f6-000000%40eu-central-1.amazonses.com.
