Opened 5 years ago

Closed 5 years ago

#19871 closed New feature (wontfix)

Extend ResetPasswordTokenGenerator to handle arbitraty tokens

Reported by: cgenie@… Owned by: nobody
Component: Uncategorized Version: 1.4
Severity: Normal Keywords:
Cc: Triage Stage: Unreviewed
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no


The django.contrib.auth.tokens.ResetPasswordTokenGenerator is a useful class, but suitable only for doing one thing. It would be nice to extend it to support generating tokens for other events, like for example customer creation.
Here's the diff on

< class PasswordResetTokenGenerator(object):
> class AbstractTokenGenerator(object):
<         key_salt = "django.contrib.auth.tokens.PasswordResetTokenGenerator"
>         key_salt = '%s.%s' % (self.__class__.__module__, self.__class__.__name__)
> class PasswordResetTokenGenerator(AbstractTokenGenerator):
>     pass

The ResetPasswordToken returns the same value for old and new version of code.

Change History (1)

comment:1 Changed 5 years ago by Carl Meyer

Resolution: wontfix
Status: newclosed

Thanks for the report! I don't think the proposed patch makes sense; the specific user data that is hashed in _make_token_with_timestamp is sensible for the password-reset (as outlined in the comment) but not necessarily for some other use; just changing the key salt doesn't magically make this a one-size-fits-all token generator. If you want to reuse some of this code, you can subclass and override the _make_token_with_timestamp method, and you probably should be doing that anyway.

Note: See TracTickets for help on using tickets.
Back to Top