Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

How can reset password link expire after set new password #29

Closed
bolerap opened this issue Oct 17, 2018 · 5 comments
Closed

How can reset password link expire after set new password #29

bolerap opened this issue Oct 17, 2018 · 5 comments

Comments

@bolerap
Copy link

bolerap commented Oct 17, 2018

hi all,
I want after user click to reset password link in email and set new password then the reset password link will be expired. How can i achieve it?
Thanks.
@apragacz
Copy link
Owner

@thanhngvpt
Currently there is no way to do that. This is because we are basing the validity of the reset password link only by the URL parameters. In other worlds we are not using the DB state when verifying the signature.

The link will be invalid after some time anyway, you can change the validity period if you want. In case of reset password link the default period is 1 day, as shown below:

django-rest-registration/rest_registration/settings.py

Line 40 in 669a2ef

'RESET_PASSWORD_VERIFICATION_PERIOD': datetime.timedelta(days=1),

If you really want to work the link only one way after it is "used", my guess is we could add an option RESET_PASSWORD_VERIFICATION_ONE_TIME_USE (by default disabled).

In case of RESET_PASSWORD_VERIFICATION_ONE_TIME_USE enabled, we would make the signing/verification salt dependent on current user password hash (stored in database). If one would "use" the link (or in other words would change the password) the salt would change so the signature from the signed url would be invalid.

What do you think about this idea? Is changing the validity period good enough for you or would you like this RESET_PASSWORD_VERIFICATION_ONE_TIME_USE option to be added?

apragacz added a commit that referenced this issue Oct 21, 2018
@apragacz
Resolved #29
3c233f0 
Added RESET_PASSWORD_VERIFICATION_ONE_TIME_USE setting
apragacz added a commit that referenced this issue Oct 22, 2018
@apragacz
Resolved issue #29:
ec31cb7 
Added RESET_PASSWORD_VERIFICATION_ONE_TIME_USE setting
@apragacz
Copy link
Owner

@thanhngvpt I put the idea into commit ec31cb7, if you have any comments you're welcome. If not, I will merge it next weekend and release a new version.

@bolerap
Copy link
Author

bolerap commented Oct 22, 2018

@apragacz great, thank you for your hardwork. I think active link and reset password one time really useful and with my case it’s required.

@apragacz
Copy link
Owner

@thanhngvpt I released new version, 0.3.13 which contains the change. You will need to set the key 'RESET_PASSWORD_VERIFICATION_ONE_TIME_USE' to True in your REST_REGISTRATION setting to enable this feature.

@lock
Copy link

lock bot commented Oct 23, 2019

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.

@lock lock bot locked as resolved and limited conversation to collaborators Oct 23, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@apragacz @bolerap