Hash the user's primary key, email (if available), and some user state that's sure to change after a password reset to produce a token that is invalidated when it's used: 1. The password field will change upon a password reset (even if the same password is
(self, user, timestamp)
| 96 | return "%s-%s" % (ts_b36, hash_string) |
| 97 | |
| 98 | def _make_hash_value(self, user, timestamp): |
| 99 | """ |
| 100 | Hash the user's primary key, email (if available), and some user state |
| 101 | that's sure to change after a password reset to produce a token that is |
| 102 | invalidated when it's used: |
| 103 | 1. The password field will change upon a password reset (even if the |
| 104 | same password is chosen, due to password salting). |
| 105 | 2. The last_login field will usually be updated very shortly after |
| 106 | a password reset. |
| 107 | Failing those things, settings.PASSWORD_RESET_TIMEOUT eventually |
| 108 | invalidates the token. |
| 109 | |
| 110 | Running this data through salted_hmac() prevents password cracking |
| 111 | attempts using the reset token, provided the secret isn't compromised. |
| 112 | """ |
| 113 | # Truncate microseconds so that tokens are consistent even if the |
| 114 | # database doesn't support microseconds. |
| 115 | login_timestamp = ( |
| 116 | "" |
| 117 | if user.last_login is None |
| 118 | else user.last_login.replace(microsecond=0, tzinfo=None) |
| 119 | ) |
| 120 | email_field = user.get_email_field_name() |
| 121 | email = getattr(user, email_field, "") or "" |
| 122 | return f"{user.pk}{user.password}{login_timestamp}{timestamp}{email}" |
| 123 | |
| 124 | def _num_seconds(self, dt): |
| 125 | return int((dt - datetime(2001, 1, 1)).total_seconds()) |
no test coverage detected