[Django] #28622: Allow password reset token to expire in under a day

classic Classic list List threaded Threaded
14 messages Options
Reply | Threaded
Open this post in threaded view
|

[Django] #28622: Allow password reset token to expire in under a day

Django
#28622: Allow password reset token to expire in under a day
----------------------------------------+------------------------
               Reporter:  nijaaam       |          Owner:  nobody
                   Type:  New feature   |         Status:  new
              Component:  Core (Other)  |        Version:  master
               Severity:  Normal        |       Keywords:
           Triage Stage:  Unreviewed    |      Has patch:  0
    Needs documentation:  0             |    Needs tests:  0
Patch needs improvement:  0             |  Easy pickings:  0
                  UI/UX:  0             |
----------------------------------------+------------------------
 Currently, the settings only has PASSWORD_RESET_TIMEOUT_DAYS for expiring
 token, which means it is impossible to set the timeout to hours/minutes.

 In many applications a day is far too long and doesn't meet security
 requirements

 It should be possible to configure it using a timedelta for arbitrary
 expires

--
Ticket URL: <https://code.djangoproject.com/ticket/28622>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

--
You received this message because you are subscribed to the Google Groups "Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/django-updates/050.c4251985337e78d1f602f8c2a6cd4b78%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: [Django] #28622: Allow password reset token to expire in under a day

Django
#28622: Allow password reset token to expire in under a day
------------------------------+------------------------------------
     Reporter:  Nijamudeen    |                    Owner:  nobody
         Type:  New feature   |                   Status:  new
    Component:  Core (Other)  |                  Version:  master
     Severity:  Normal        |               Resolution:
     Keywords:                |             Triage Stage:  Accepted
    Has patch:  0             |      Needs documentation:  0
  Needs tests:  0             |  Patch needs improvement:  0
Easy pickings:  0             |                    UI/UX:  0
------------------------------+------------------------------------
Changes (by Simon Charette):

 * stage:  Unreviewed => Accepted


Comment:

 Not sure if we should allow non-integer values to be passed to
 `PASSWORD_RESET_TIMEOUT_DAYS ` or deprecate the setting for a new one
 which is seconds based (`PASSWORD_RESET_TIMEOUT`) but this requests make a
 lot of sense.

--
Ticket URL: <https://code.djangoproject.com/ticket/28622#comment:1>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

--
You received this message because you are subscribed to the Google Groups "Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/django-updates/065.f4091edc1ec81003bc0c6897ab014d03%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: [Django] #28622: Allow password reset token to expire in under a day

Django
In reply to this post by Django
#28622: Allow password reset token to expire in under a day
------------------------------+------------------------------------
     Reporter:  Nijamudeen    |                    Owner:  Zach Liu
         Type:  New feature   |                   Status:  assigned
    Component:  Core (Other)  |                  Version:  master
     Severity:  Normal        |               Resolution:
     Keywords:                |             Triage Stage:  Accepted
    Has patch:  0             |      Needs documentation:  1
  Needs tests:  0             |  Patch needs improvement:  0
Easy pickings:  0             |                    UI/UX:  0
------------------------------+------------------------------------
Changes (by Zach Liu):

 * status:  new => assigned
 * cc: Zach Liu (added)
 * owner:  nobody => Zach Liu
 * needs_docs:  0 => 1


--
Ticket URL: <https://code.djangoproject.com/ticket/28622#comment:2>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

--
You received this message because you are subscribed to the Google Groups "Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/django-updates/065.c24136212d02684f3837a313bbc0123d%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: [Django] #28622: Allow password reset token to expire in under a day

Django
In reply to this post by Django
#28622: Allow password reset token to expire in under a day
------------------------------+------------------------------------
     Reporter:  Nijamudeen    |                    Owner:  Zach Liu
         Type:  New feature   |                   Status:  assigned
    Component:  Core (Other)  |                  Version:  master
     Severity:  Normal        |               Resolution:
     Keywords:                |             Triage Stage:  Accepted
    Has patch:  0             |      Needs documentation:  1
  Needs tests:  0             |  Patch needs improvement:  0
Easy pickings:  0             |                    UI/UX:  0
------------------------------+------------------------------------

Comment (by Zach Liu):

 I think using PASSWORD_RESET_TIMEOUT which takes seconds makes better
 sense. To support backward compatibility, I think we should keep
 PASSWORD_RESET_TIMEOUT_DAYS and its default value of 3. Only use
 PASSWORD_RESET_TIMEOUT when provided. Does it sound like a good idea?

--
Ticket URL: <https://code.djangoproject.com/ticket/28622#comment:3>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

--
You received this message because you are subscribed to the Google Groups "Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/django-updates/065.1f2c7ba17a0fed392a2752d589a1be11%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: [Django] #28622: Allow password reset token to expire in under a day

Django
In reply to this post by Django
#28622: Allow password reset token to expire in under a day
------------------------------+------------------------------------
     Reporter:  Nijamudeen    |                    Owner:  Zach Liu
         Type:  New feature   |                   Status:  assigned
    Component:  Core (Other)  |                  Version:  master
     Severity:  Normal        |               Resolution:
     Keywords:                |             Triage Stage:  Accepted
    Has patch:  0             |      Needs documentation:  1
  Needs tests:  0             |  Patch needs improvement:  0
Easy pickings:  0             |                    UI/UX:  0
------------------------------+------------------------------------

Comment (by Simon Charette):

 Supporting `PASSWORD_RESET_TIMEOUT_DAYS` during the deprecation period
 makes sense but it should eventually be supersed by
 `PASSWORD_RESET_TIMEOUT`. I suggest you take a look at how the
 `MIDDLEWARE_CLASSES` to `MIDDLEWARE` transition was handled to figure out
 how this should be done.

--
Ticket URL: <https://code.djangoproject.com/ticket/28622#comment:4>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

--
You received this message because you are subscribed to the Google Groups "Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/django-updates/065.16330429281868ab554ceb1d4a625cae%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: [Django] #28622: Allow password reset token to expire in under a day

Django
In reply to this post by Django
#28622: Allow password reset token to expire in under a day
------------------------------+------------------------------------
     Reporter:  Nijamudeen    |                    Owner:  Zach Liu
         Type:  New feature   |                   Status:  assigned
    Component:  Core (Other)  |                  Version:  master
     Severity:  Normal        |               Resolution:
     Keywords:                |             Triage Stage:  Accepted
    Has patch:  0             |      Needs documentation:  1
  Needs tests:  0             |  Patch needs improvement:  0
Easy pickings:  0             |                    UI/UX:  0
------------------------------+------------------------------------

Comment (by Tim Graham):

 Before coding, please get a consensus on how to proceed on the
 DevelopersMailingList. I like readability benefits of the `timedelta`
 proposal (compared to interpreting a number of seconds in a settings file,
 even if that could be somewhat mitigated by writing
 `PASSWORD_RESET_TIMEOUT = 60 * 60 * 24 *  3`) but I'm unsure on the best
 approach.

--
Ticket URL: <https://code.djangoproject.com/ticket/28622#comment:5>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

--
You received this message because you are subscribed to the Google Groups "Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/django-updates/065.f73eba2086961c9c6d1d3da986090c34%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: [Django] #28622: Allow password reset token to expire in under a day

Django
In reply to this post by Django
#28622: Allow password reset token to expire in under a day
------------------------------+------------------------------------
     Reporter:  Nijamudeen    |                    Owner:  Zach Liu
         Type:  New feature   |                   Status:  assigned
    Component:  Core (Other)  |                  Version:  master
     Severity:  Normal        |               Resolution:
     Keywords:                |             Triage Stage:  Accepted
    Has patch:  0             |      Needs documentation:  1
  Needs tests:  0             |  Patch needs improvement:  0
Easy pickings:  0             |                    UI/UX:  0
------------------------------+------------------------------------

Comment (by Zach Liu):

 Replying to [comment:4 Simon Charette]:
 > Supporting `PASSWORD_RESET_TIMEOUT_DAYS` during the deprecation period
 makes sense but it should eventually be supersed by
 `PASSWORD_RESET_TIMEOUT`. I suggest you take a look at how the
 `MIDDLEWARE_CLASSES` to `MIDDLEWARE` transition was handled to figure out
 how this should be done.

 Hi Simon, you mentioned MIDDLEWARE_CLASSES to MIDDLEWARE transition, can
 you point me to where I can find the reference? Thanks.

--
Ticket URL: <https://code.djangoproject.com/ticket/28622#comment:6>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

--
You received this message because you are subscribed to the Google Groups "Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/django-updates/065.282dded8c517a3a572f53ef0c64b9221%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: [Django] #28622: Allow password reset token to expire in under a day

Django
In reply to this post by Django
#28622: Allow password reset token to expire in under a day
------------------------------+------------------------------------
     Reporter:  Nijamudeen    |                    Owner:  Zach Liu
         Type:  New feature   |                   Status:  assigned
    Component:  Core (Other)  |                  Version:  master
     Severity:  Normal        |               Resolution:
     Keywords:                |             Triage Stage:  Accepted
    Has patch:  0             |      Needs documentation:  1
  Needs tests:  0             |  Patch needs improvement:  0
Easy pickings:  0             |                    UI/UX:  0
------------------------------+------------------------------------

Comment (by Zach Liu):

 [https://github.com/django/django/pull/9173] PR  for the ticket.

--
Ticket URL: <https://code.djangoproject.com/ticket/28622#comment:7>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

--
You received this message because you are subscribed to the Google Groups "Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/django-updates/065.ee9335753df54c279e6a0151103beedb%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: [Django] #28622: Allow password reset token to expire in under a day

Django
In reply to this post by Django
#28622: Allow password reset token to expire in under a day
--------------------------------------+------------------------------------
     Reporter:  Nijamudeen            |                    Owner:  Zach Liu
         Type:  Cleanup/optimization  |                   Status:  assigned
    Component:  contrib.auth          |                  Version:  master
     Severity:  Normal                |               Resolution:
     Keywords:                        |             Triage Stage:  Accepted
    Has patch:  1                     |      Needs documentation:  1
  Needs tests:  0                     |  Patch needs improvement:  0
Easy pickings:  0                     |                    UI/UX:  0
--------------------------------------+------------------------------------
Changes (by Tim Graham):

 * component:  Core (Other) => contrib.auth
 * has_patch:  0 => 1
 * type:  New feature => Cleanup/optimization


Comment:

 Please uncheck "Needs documentation" if it's added to the patch.

 [https://groups.google.com/d/topic/django-
 developers/65iOQunvkPY/discussion django-developers discussion]

--
Ticket URL: <https://code.djangoproject.com/ticket/28622#comment:8>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

--
You received this message because you are subscribed to the Google Groups "Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/django-updates/065.aa8ce3a8f6aa0bf2f587b214c0888186%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: [Django] #28622: Allow password reset token to expire in under a day

Django
In reply to this post by Django
#28622: Allow password reset token to expire in under a day
--------------------------------------+------------------------------------
     Reporter:  Nijamudeen            |                    Owner:  Zach Liu
         Type:  Cleanup/optimization  |                   Status:  assigned
    Component:  contrib.auth          |                  Version:  master
     Severity:  Normal                |               Resolution:
     Keywords:                        |             Triage Stage:  Accepted
    Has patch:  1                     |      Needs documentation:  1
  Needs tests:  0                     |  Patch needs improvement:  0
Easy pickings:  0                     |                    UI/UX:  0
--------------------------------------+------------------------------------

Comment (by Nahuel):

 Hello,

 About the token generation, is there any reason that is only attached to
 resseting password feature ?
 Shouldn't be usefull in many other cases?

 I mean, this can be helpful in many other cases that need temporary auto-
 login through the URL.

--
Ticket URL: <https://code.djangoproject.com/ticket/28622#comment:9>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

--
You received this message because you are subscribed to the Google Groups "Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/django-updates/065.d61ec2ac3c4095fecd20e23811d6810b%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: [Django] #28622: Allow password reset token to expire in under a day

Django
In reply to this post by Django
#28622: Allow password reset token to expire in under a day
-------------------------------------+-------------------------------------
     Reporter:  Nijamudeen           |                    Owner:  Hasan
         Type:                       |  Ramezani
  Cleanup/optimization               |                   Status:  assigned
    Component:  contrib.auth         |                  Version:  master
     Severity:  Normal               |               Resolution:
     Keywords:                       |             Triage Stage:  Accepted
    Has patch:  1                    |      Needs documentation:  0
  Needs tests:  0                    |  Patch needs improvement:  0
Easy pickings:  0                    |                    UI/UX:  0
-------------------------------------+-------------------------------------
Changes (by Hasan Ramezani):

 * owner:  Zach Liu => Hasan Ramezani
 * needs_docs:  1 => 0


--
Ticket URL: <https://code.djangoproject.com/ticket/28622#comment:10>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

--
You received this message because you are subscribed to the Google Groups "Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/django-updates/065.6d249f8a294261791c5b44a92530bdb1%40djangoproject.com.
Reply | Threaded
Open this post in threaded view
|

Re: [Django] #28622: Allow password reset token to expire in under a day

Django
In reply to this post by Django
#28622: Allow password reset token to expire in under a day
-------------------------------------+-------------------------------------
     Reporter:  Nijamudeen           |                    Owner:  Hasan
         Type:                       |  Ramezani
  Cleanup/optimization               |                   Status:  assigned
    Component:  contrib.auth         |                  Version:  master
     Severity:  Normal               |               Resolution:
     Keywords:                       |             Triage Stage:  Accepted
    Has patch:  1                    |      Needs documentation:  0
  Needs tests:  0                    |  Patch needs improvement:  1
Easy pickings:  0                    |                    UI/UX:  0
-------------------------------------+-------------------------------------
Changes (by felixxm):

 * needs_better_patch:  0 => 1


--
Ticket URL: <https://code.djangoproject.com/ticket/28622#comment:11>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

--
You received this message because you are subscribed to the Google Groups "Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/django-updates/065.adabe5c8f7e66e076536687b3e5ba386%40djangoproject.com.
Reply | Threaded
Open this post in threaded view
|

Re: [Django] #28622: Allow password reset token to expire in under a day

Django
In reply to this post by Django
#28622: Allow password reset token to expire in under a day
-------------------------------------+-------------------------------------
     Reporter:  Nijamudeen           |                    Owner:  Hasan
         Type:                       |  Ramezani
  Cleanup/optimization               |                   Status:  closed
    Component:  contrib.auth         |                  Version:  master
     Severity:  Normal               |               Resolution:  fixed
     Keywords:                       |             Triage Stage:  Accepted
    Has patch:  1                    |      Needs documentation:  0
  Needs tests:  0                    |  Patch needs improvement:  1
Easy pickings:  0                    |                    UI/UX:  0
-------------------------------------+-------------------------------------
Changes (by Mariusz Felisiak <felisiak.mariusz@…>):

 * status:  assigned => closed
 * resolution:   => fixed


Comment:

 In [changeset:"226ebb17290b604ef29e82fb5c1fbac3594ac163" 226ebb1]:
 {{{
 #!CommitTicketReference repository=""
 revision="226ebb17290b604ef29e82fb5c1fbac3594ac163"
 Fixed #28622 -- Allowed specifying password reset link expiration in
 seconds and deprecated PASSWORD_RESET_TIMEOUT_DAYS.
 }}}

--
Ticket URL: <https://code.djangoproject.com/ticket/28622#comment:12>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

--
You received this message because you are subscribed to the Google Groups "Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/django-updates/065.d060926e5af3cae408612fa95d57e585%40djangoproject.com.
Reply | Threaded
Open this post in threaded view
|

Re: [Django] #28622: Allow password reset token to expire in under a day

Django
In reply to this post by Django
#28622: Allow password reset token to expire in under a day
-------------------------------------+-------------------------------------
     Reporter:  Nijamudeen           |                    Owner:  Hasan
         Type:                       |  Ramezani
  Cleanup/optimization               |                   Status:  closed
    Component:  contrib.auth         |                  Version:  master
     Severity:  Normal               |               Resolution:  fixed
     Keywords:                       |             Triage Stage:  Accepted
    Has patch:  1                    |      Needs documentation:  0
  Needs tests:  0                    |  Patch needs improvement:  1
Easy pickings:  0                    |                    UI/UX:  0
-------------------------------------+-------------------------------------

Comment (by Mariusz Felisiak <felisiak.mariusz@…>):

 In [changeset:"45304e444e0d780ceeb5fc03e6761569dfe17ab2" 45304e44]:
 {{{
 #!CommitTicketReference repository=""
 revision="45304e444e0d780ceeb5fc03e6761569dfe17ab2"
 Refs #28622 -- Clarified security implications of PASSWORD_RESET_TIMEOUT.
 }}}

--
Ticket URL: <https://code.djangoproject.com/ticket/28622#comment:13>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

--
You received this message because you are subscribed to the Google Groups "Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/django-updates/065.d40652d0d56b1ff2a71c2cab4eb42ecc%40djangoproject.com.