Hey Robert.
> ... the argument here is "we don't want to", but the reasoning behind
that is unclear ...
For me, the reasoning would be that we get several security reports against
Django pretty much every week, and the extent to which we make security
sensitive areas **generic** for the sake of
Hey Carlton,
I'm reading through the replies and I feel like I'm missing point
completely.
First some background - `PasswordResetTokenGenerator` is heavily referenced
over the web (or more accurately - the `default_token_genrator`) when it
comes to account activation. I personally believe the
Yes, likely.
My point was (merely) that we **don't** want to add
additional extension points to PasswordResetTokenGenerator.
On Tue, 23 Aug 2022 at 12:58, Roger Gammans
wrote:
> Hi
>
> If it's intended as a reference implementation, then I would expect
> PasswordResetTokenGenerator to use
Hi Carlton!
I can understand what you're saying, and I don't think the TimestampSigner
solution is bad
But again, it's a little unclear why in the end, in line 132 of
https://github.com/django/django/blob/7e6b537f5b92be152779fc492bb908d27fe7c52a/django/contrib/auth/tokens.py#L132
we assign
Hi
If it's intended as a reference implementation, then I would expect
PasswordResetTokenGenerator to use Signer or
TimestampSigner internally , but I was surprised to discover that it
didn't use either.
Isn't those entry points the better API to advise for use rather than
the direct use of
Hi Alexander.
I think the point from ticket #30423 is that we don't want to complicate
PasswordResetTokenGenerator in order to make it into a more general
purpose token generator.
Much better is for you to take inspiration from it to implement what you
need in your project. (It's the underlying
Hi Max!
Thanks for your answer
But honestly, I don't really understand how You can check if super returns
false not from the last 'if'.
Now the function has 5 places where it can return False, and yes, we don't
like the last case specifically. But to be honest I don't see a way to
check the
Hi Alexander.
You can simply override ‘check_token’ to avoide this harcoded
settings.PASSWORD_RESET_TIMEOUT on the 57 line.
And for yours task it can be with super call and after add additional check.
It is only some additional lines:
MyСlassFromPasswordResetTokenGenerator(…):
