Opened 8 years ago

Closed 7 years ago

Last modified 4 years ago

#28017 closed New feature (fixed)

Add option to specify a different secret to PasswordResetTokenGenerator

Reported by: Jann Haber Owned by: Jann Haber
Component: contrib.auth Version: dev
Severity: Normal Keywords:
Cc: Triage Stage: Accepted
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: yes UI/UX: no

Description

In the PasswordResetTokenGenerator class, it is very difficult to use a secret different from settings.SECRET_KEY. In Django however, it would be very easy to add an attribute "secret" to the class, which defaults to settings.SECRET_KEY and is handed to "salted_hmac" in the method "_make_token_with_timestamp".

Currently, one would have to overwrite the _make_token_with_timestamp method, which is not documented and likely to change, or one could misuse modify_settings or override_settings in production.

Our usecase is, that we have a site for our employees and a self-service-site for customers deployed on different servers and with different SECRET_KEYs. Both sites should be able to generate Reset-Links for the self-service site.

Change History (7)

comment:1 by Jann Haber, 8 years ago

Owner: changed from nobody to Jann Haber
Status: newassigned

comment:2 by Jann Haber, 8 years ago

Easy pickings: set
Has patch: set
Last edited 7 years ago by Tim Graham (previous) (diff)

comment:3 by Claude Paroz, 8 years ago

Triage Stage: UnreviewedAccepted

comment:4 by Tim Graham, 7 years ago

Patch needs improvement: set

comment:5 by Jann Haber, 7 years ago

Patch needs improvement: unset

I updated the PR according to Tim's comments. Thank you for the review!

comment:6 by Tim Graham <timograham@…>, 7 years ago

Resolution: fixed
Status: assignedclosed

In c930c24:

Fixed #28017 -- Allowed customizing PasswordResetTokenGenerator's secret.

comment:7 by Mariusz Felisiak <felisiak.mariusz@…>, 4 years ago

In b13af47:

Refs #28017 -- Added test for PasswordResetTokenGenerator subclass with a custom secret.

Note: See TracTickets for help on using tickets.
Back to Top