#32407 closed New feature (wontfix)
Add token generator for email verification
| Reported by: | Kobus van Schoor | Owned by: | nobody |
|---|---|---|---|
| Component: | contrib.auth | Version: | dev |
| Severity: | Normal | Keywords: | auth, token |
| Cc: | Alex Gaynor | Triage Stage: | Unreviewed |
| Has patch: | yes | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description
An email verification token generator similar to the existing contrib.auth.tokens.PasswordResetTokenGenerator which generates a token that stays valid even if the user has logged in or changed their password
Change History (3)
comment:1 by , 3 years ago
| Cc: | added |
|---|---|
| Resolution: | → wontfix |
| Status: | new → closed |
comment:2 by , 3 years ago
Thanks for the feedback, please note that this is a new generator separate from the PasswordResetTokenGenerator which still has tokens that are invalidated when the user logs in/changes their password. This new generator is specifically for generating tokens that are used to validate a user's email, hence the more relaxed conditions (since a user won't expect a email verification token to be invalidated after logging in). I can add the user's password back to the hash generation so that changing your password still invalidates the token?
comment:3 by , 3 years ago
Ahh, sorry, I misunderstood your intentions. You want to have a token generator for an email verification. Nevertheless, I don't think this need to be included to Django, because an implementation is straightforward and it will not be used by Django itself. You can start a discussion on DevelopersMailingList if you don't agree.
Thanks for this ticket, however token should be rejected after changing a password or an email (see #26615). I don't think that we would like to encourage users to keep tokens valid after such changes by providing a builtin generator which behaves differently.