MCPcopy
hub / github.com/django/django / _make_hash_value

Method _make_hash_value

django/contrib/auth/tokens.py:98–122  ·  view source on GitHub ↗

Hash the user's primary key, email (if available), and some user state that's sure to change after a password reset to produce a token that is invalidated when it's used: 1. The password field will change upon a password reset (even if the same password is

(self, user, timestamp)

Source from the content-addressed store, hash-verified

96 return "%s-%s" % (ts_b36, hash_string)
97
98 def _make_hash_value(self, user, timestamp):
99 """
100 Hash the user's primary key, email (if available), and some user state
101 that's sure to change after a password reset to produce a token that is
102 invalidated when it's used:
103 1. The password field will change upon a password reset (even if the
104 same password is chosen, due to password salting).
105 2. The last_login field will usually be updated very shortly after
106 a password reset.
107 Failing those things, settings.PASSWORD_RESET_TIMEOUT eventually
108 invalidates the token.
109
110 Running this data through salted_hmac() prevents password cracking
111 attempts using the reset token, provided the secret isn't compromised.
112 """
113 # Truncate microseconds so that tokens are consistent even if the
114 # database doesn't support microseconds.
115 login_timestamp = (
116 ""
117 if user.last_login is None
118 else user.last_login.replace(microsecond=0, tzinfo=None)
119 )
120 email_field = user.get_email_field_name()
121 email = getattr(user, email_field, "") or ""
122 return f"{user.pk}{user.password}{login_timestamp}{timestamp}{email}"
123
124 def _num_seconds(self, dt):
125 return int((dt - datetime(2001, 1, 1)).total_seconds())

Callers 1

Calls 1

get_email_field_nameMethod · 0.80

Tested by

no test coverage detected