#28017 closed New feature (fixed)
Add option to specify a different secret to PasswordResetTokenGenerator
| Reported by: | Jann Haber | Owned by: | Jann Haber |
|---|---|---|---|
| Component: | contrib.auth | Version: | dev |
| Severity: | Normal | Keywords: | |
| Cc: | Triage Stage: | Accepted | |
| Has patch: | yes | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | yes | UI/UX: | no |
| Pull Requests: | |||
Description ¶
In the PasswordResetTokenGenerator class, it is very difficult to use a secret different from settings.SECRET_KEY. In Django however, it would be very easy to add an attribute "secret" to the class, which defaults to settings.SECRET_KEY and is handed to "salted_hmac" in the method "_make_token_with_timestamp".
Currently, one would have to overwrite the _make_token_with_timestamp method, which is not documented and likely to change, or one could misuse modify_settings or override_settings in production.
Our usecase is, that we have a site for our employees and a self-service-site for customers deployed on different servers and with different SECRET_KEYs. Both sites should be able to generate Reset-Links for the self-service site.
Change History (7)
comment:1 by , 8 years ago
| Owner: | changed from to |
|---|---|
| Status: | new → assigned |
comment:2 by , 8 years ago
| Easy pickings: | set |
|---|---|
| Has patch: | set |
comment:3 by , 8 years ago
| Triage Stage: | Unreviewed → Accepted |
|---|
comment:4 by , 8 years ago
| Patch needs improvement: | set |
|---|
comment:5 by , 8 years ago
| Patch needs improvement: | unset |
|---|
I updated the PR according to Tim's comments. Thank you for the review!
PR