what is the best way to generate a reset token in python?

后端 未结 2 1625
無奈伤痛
無奈伤痛 2021-02-05 15:46

I\'m trying to make a validation process for a password reset, what i\'ve used are two values: the epoch time, and i want to use the users\'s old password (pbkdf2) as a key,

相关标签:
2条回答
  • 2021-02-05 16:28

    Easiest way by far is to use the ItsDangerous library:

    You can serialize and sign a user ID for unsubscribing of newsletters into URLs. This way you don’t need to generate one-time tokens and store them in the database. Same thing with any kind of activation link for accounts and similar things.

    You can also embed a timestamp, so very easily to set time periods without having to involve databases or queues. It's all cryptographically signed, so you can easily see if it's been tampered with.

    >>> from itsdangerous import TimestampSigner
    >>> s = TimestampSigner('secret-key')
    >>> string = s.sign('foo')
    >>> s.unsign(string, max_age=5)
    Traceback (most recent call last):
      ...
    itsdangerous.SignatureExpired: Signature age 15 > 5 seconds
    
    0 讨论(0)
  • 2021-02-05 16:41

    Not sure it's the best way, but I'd probably just generate a UUID4, which can be used in a URL to reset the password and expire it after 'n' amount of time.

    >>> import uuid
    >>> uuid.uuid4().hex
    '8c05904f0051419283d1024fc5ce1a59'
    

    You could use something like http://redis.io to hold that key, with a value of the appropriate user ID and set its time to live. So, when something comes in from http://example.com/password-reset/8c05904f0051419283d1024fc5ce1a59 it looks to see if it's valid and if so then allows changes to set a new password.

    If you did want a "validation pin", then store along with the token, a small random key, eg:

    >>> from string import digits
    >>> from random import choice
    >>> ''.join(choice(digits) for i in xrange(4))
    '2545'
    

    And request that be entered on the reset link.

    0 讨论(0)
提交回复
热议问题