#32407 closed New feature (wontfix)
Add token generator for email verification
Reported by: | Kobus van Schoor | Owned by: | nobody |
---|---|---|---|
Component: | contrib.auth | Version: | dev |
Severity: | Normal | Keywords: | auth, token |
Cc: | Alex Gaynor | Triage Stage: | Unreviewed |
Has patch: | yes | Needs documentation: | no |
Needs tests: | no | Patch needs improvement: | no |
Easy pickings: | no | UI/UX: | no |
Description
An email verification token generator similar to the existing contrib.auth.tokens.PasswordResetTokenGenerator which generates a token that stays valid even if the user has logged in or changed their password
Change History (3)
comment:1 by , 4 years ago
Cc: | added |
---|---|
Resolution: | → wontfix |
Status: | new → closed |
comment:2 by , 4 years ago
Thanks for the feedback, please note that this is a new generator separate from the PasswordResetTokenGenerator which still has tokens that are invalidated when the user logs in/changes their password. This new generator is specifically for generating tokens that are used to validate a user's email, hence the more relaxed conditions (since a user won't expect a email verification token to be invalidated after logging in). I can add the user's password back to the hash generation so that changing your password still invalidates the token?
comment:3 by , 4 years ago
Ahh, sorry, I misunderstood your intentions. You want to have a token generator for an email verification. Nevertheless, I don't think this need to be included to Django, because an implementation is straightforward and it will not be used by Django itself. You can start a discussion on DevelopersMailingList if you don't agree.
Thanks for this ticket, however token should be rejected after changing a password or an email (see #26615). I don't think that we would like to encourage users to keep tokens valid after such changes by providing a builtin generator which behaves differently.