Fixed #29289 -- Clarified PasswordResetTokenGenerator comment regarding the data hashed to generate tokens.

Thanks Luke Plant for the draft text.
2018-04-06 11:05:51 -04:00 · 2018-04-06 11:05:51 -04:00 · 85d853b2d3
parent 5d4d62bf4f
commit 85d853b2d3
1 changed files with 17 additions and 10 deletions
--- a/django/contrib/auth/tokens.py
+++ b/django/contrib/auth/tokens.py
@ -55,23 +55,30 @@ class PasswordResetTokenGenerator:
        # timestamp is number of days since 2001-1-1.  Converted to
        # base 36, this gives us a 3 digit string until about 2121
        ts_b36 = int_to_base36(timestamp)
-
-        # By hashing on the internal state of the user and using state
-        # that is sure to change (the password salt will change as soon as
-        # the password is set, at least for current Django auth, and
-        # last_login will also change), we produce a hash that will be
-        # invalid as soon as it is used.
-        # We limit the hash to 20 chars to keep URL short
-
        hash = salted_hmac(
            self.key_salt,
            self._make_hash_value(user, timestamp),
            secret=self.secret,
-        ).hexdigest()[::2]
+        ).hexdigest()[::2]  # Limit to 20 characters to shorten the URL.
        return "%s-%s" % (ts_b36, hash)

    def _make_hash_value(self, user, timestamp):
-        # Ensure results are consistent across DB backends
+        """
+        Hash the user's primary key and some user state that's sure to change
+        after a password reset to produce a token that invalidated when it's
+        used:
+        1. The password field will change upon a password reset (even if the
+           same password is chosen, due to password salting).
+        2. The last_login field will usually be updated very shortly after
+           a password reset.
+        Failing those things, settings.PASSWORD_RESET_TIMEOUT_DAYS eventually
+        invalidates the token.
+
+        Running this data through salted_hmac() prevents password cracking
+        attempts using the reset token, provided the secret isn't compromised.
+        """
+        # Truncate microseconds so that tokens are consistent even if the
+        # database doesn't support microseconds.
        login_timestamp = '' if user.last_login is None else user.last_login.replace(microsecond=0, tzinfo=None)
        return str(user.pk) + user.password + str(login_timestamp) + str(timestamp)