Commit 28bbe2e6 authored by Bruno Renié's avatar Bruno Renié
Browse files

Customize token expiration with a setting

parent ad24197e
......@@ -41,8 +41,9 @@ What you can do
* Use custom forms if you need something else than searching for username
`or` email, or search case-insensitively.
* Use a custom salt or expiration time for tokens.
* Use a custom salt or expiration time for tokens (expiration via
``PASSWORD_RESET_TOKEN_EXPIRES`` setting).
* Allow password recovery for all users (default) or only for active users (via `RECOVER_ONLY_ACTIVE_USERS=False` setting)
* Allow password recovery for all users (default) or only for active users (via ``RECOVER_ONLY_ACTIVE_USERS=False`` setting)
See the next section.
......@@ -114,10 +114,17 @@ recover = Recover.as_view()
class Reset(SaltMixin, generic.FormView):
form_class = PasswordResetForm
token_expires = 3600 * 48 # Two days
token_expires = None
template_name = 'password_reset/reset.html'
success_url = reverse_lazy('password_reset_done')
def get_token_expires(self):
duration = getattr(settings, 'PASSWORD_RESET_TOKEN_EXPIRES',
self.token_expires)
if duration is None:
duration = 3600 * 48 # Two days
return duration
@method_decorator(sensitive_post_parameters('password1', 'password2'))
def dispatch(self, request, *args, **kwargs):
self.request = request
......@@ -126,7 +133,8 @@ class Reset(SaltMixin, generic.FormView):
self.user = None
try:
pk = signing.loads(kwargs['token'], max_age=self.token_expires,
pk = signing.loads(kwargs['token'],
max_age=self.get_token_expires(),
salt=self.salt)
except signing.BadSignature:
return self.invalid()
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment