From 6387d9d41fa9c4292a010bdae16feb349cb3c94a Mon Sep 17 00:00:00 2001 From: Matt Robenolt Date: Sun, 19 Apr 2015 18:51:18 -0700 Subject: [PATCH] Refactored PasswordResetTokenGenerator to be a bit more extensible. --- django/contrib/auth/tokens.py | 19 +++++++++++++------ 1 file changed, 13 insertions(+), 6 deletions(-) diff --git a/django/contrib/auth/tokens.py b/django/contrib/auth/tokens.py index b925c21eff..45145ab87d 100644 --- a/django/contrib/auth/tokens.py +++ b/django/contrib/auth/tokens.py @@ -11,6 +11,8 @@ class PasswordResetTokenGenerator(object): Strategy object used to generate and check tokens for the password reset mechanism. """ + key_salt = "django.contrib.auth.tokens.PasswordResetTokenGenerator" + def make_token(self, user): """ Returns a token that can be used once to do a password reset @@ -54,15 +56,20 @@ class PasswordResetTokenGenerator(object): # last_login will also change), we produce a hash that will be # invalid as soon as it is used. # We limit the hash to 20 chars to keep URL short - key_salt = "django.contrib.auth.tokens.PasswordResetTokenGenerator" + hash = salted_hmac( + self.key_salt, + self._make_hash_value(user, timestamp), + ).hexdigest()[::2] + return "%s-%s" % (ts_b36, hash) + + def _make_hash_value(self, user, timestamp): # Ensure results are consistent across DB backends login_timestamp = '' if user.last_login is None else user.last_login.replace(microsecond=0, tzinfo=None) - - value = (six.text_type(user.pk) + user.password + - six.text_type(login_timestamp) + six.text_type(timestamp)) - hash = salted_hmac(key_salt, value).hexdigest()[::2] - return "%s-%s" % (ts_b36, hash) + return ( + six.text_type(user.pk) + user.password + + six.text_type(login_timestamp) + six.text_type(timestamp) + ) def _num_days(self, dt): return (dt - date(2001, 1, 1)).days