注册    登录
关注
Py学习  »  Django

default_token_generator生成的token过期之后django怎么处理的?自动删除了吗?

liaozd • 11 年前 • 7743 次点击  

from django.contrib.auth.tokens import default_token_generator

token = default_token_generator.make_token(user)

在settings.py里面有一个设置是PASSWORD_RESET_TIMEOUT_DAYS,这方面django文档好像没有详细的说。

我该如何判断token是否过期了?

Python社区是高质量的Python/Django开发社区
本文地址:http://www.python88.com/topic/844
文章 [ 3 ]  |  最新文章 11 年前
liaozd
Reply   •   1 楼
liaozd    11 年前

@Django中国社区 有两种可能,一种是建了token但是过期了,还一种是token是假的。这两种情况都拿不到。
liaozd
Reply   •   2 楼
liaozd    11 年前

@Django中国社区 谢谢,我想做的是如果过期就转到另外的过期页面。然后还想怎么测试token过期,过期时间最小只能是day么?

django 源码:

` from datetime import date from django.conf import settings from django.utils.http import int_to_base36, base36_to_int from django.utils.crypto import constant_time_compare, salted_hmac from django.utils import six

class PasswordResetTokenGenerator(object): """ Strategy object used to generate and check tokens for the password reset mechanism. """ def make_token(self, user): """ Returns a token that can be used once to do a password reset for the given user. """ return self._make_token_with_timestamp(user, self._num_days(self._today()))

def check_token(self, user, token):
    """
    Check that a password reset token is correct for a given user.
    """
    # Parse the token
    try:
        ts_b36, hash = token.split("-")
    except ValueError:
        return False

    try:
        ts = base36_to_int(ts_b36)
    except ValueError:
        return False

    # Check that the timestamp/uid has not been tampered with
    if not constant_time_compare(self._make_token_with_timestamp(user, ts), token):
        return False

    # Check the timestamp is within limit
    if (self._num_days(self._today()) - ts) > settings.PASSWORD_RESET_TIMEOUT_DAYS:
        return False

    return True

def _make_token_with_timestamp(self, user, timestamp):
    # timestamp is number of days since 2001-1-1.  Converted to
    # base 36, this gives us a 3 digit string until about 2121
    ts_b36 = int_to_base36(timestamp)

    # By hashing on the internal state of the user and using state
    # that is sure to change (the password salt will change as soon as
    # the password is set, at least for current Django auth, and
    # last_login will also change), we produce a hash that will be
    # invalid as soon as it is used.
    # We limit the hash to 20 chars to keep URL short
    key_salt = "django.contrib.auth.tokens.PasswordResetTokenGenerator"

    # Ensure results are consistent across DB backends
    login_timestamp = user.last_login.replace(microsecond=0, tzinfo=None)

    value = (six.text_type(user.pk) + user.password +
            six.text_type(login_timestamp) + six.text_type(timestamp))
    hash = salted_hmac(key_salt, value).hexdigest()[::2]
    return "%s-%s" % (ts_b36, hash)

def _num_days(self, dt):
    return (dt - date(2001, 1, 1)).days

def _today(self):
    # Used for mocking in tests
    return date.today()

default_token_generator = PasswordResetTokenGenerator() `
Py站长
Reply   •   3 楼
Py站长    11 年前

如果在验证链接时,拿不到,说明就过期了吧

登录后回复
关于   移动版
Py学习 - 专注于Python技术发展的社区(原Django社区)
沪ICP备11025650号