Add option to specify a different secret to PasswordResetTokenGenerator
In the PasswordResetTokenGenerator class, it is very difficult to use a secret different from settings.SECRET_KEY. In Django however, it would be very easy to add an attribute "secret" to the class, which defaults to settings.SECRET_KEY and is handed to "salted_hmac" in the method "_make_token_with_timestamp".
Currently, one would have to overwrite the _make_token_with_timestamp method, which is not documented and likely to change, or one could misuse modify_settings or override_settings in production.
Our usecase is, that we have a site for our employees and a self-service-site for customers deployed on different servers and with different SECRET_KEYs. Both sites should be able to generate Reset-Links for the self-service site.
Change History
(7)
Owner: |
changed from nobody to Jann Haber
|
Status: |
new → assigned
|
Easy pickings: |
set
|
Has patch: |
set
|
Triage Stage: |
Unreviewed → Accepted
|
Patch needs improvement: |
set
|
Patch needs improvement: |
unset
|
Resolution: |
→ fixed
|
Status: |
assigned → closed
|
PR