Inicio Explorar Ayuda
Registro Iniciar sesión
dayuan
/
manyi
6
0
Fork 0
Archivos Incidencias 0 Pull Requests 0 Wiki
Árbol: 34216f9fac
Ramas Etiquetas
manyi
/
venv
/
Lib
/
site-packages
/
django
/
contrib
/
auth
/
tokens.py

tokens.py 2.6 KB
Histórico Raw

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273 
  1. from datetime import date
    2. 

  2. from django.conf import settings
    3. 

  3. from django.utils.http import int_to_base36, base36_to_int
    4. 

  4. from django.utils.crypto import constant_time_compare, salted_hmac
    5. 

  5. from django.utils import six
    6. 

  6. 

  7. 

  8. class PasswordResetTokenGenerator(object):
    9. 

  9.     """
    10. 

  10.     Strategy object used to generate and check tokens for the password
    11. 

  11.     reset mechanism.
    12. 

  12.     """
    13. 

  13.     def make_token(self, user):
    14. 

  14.         """
    15. 

  15.         Returns a token that can be used once to do a password reset
    16. 

  16.         for the given user.
    17. 

  17.         """
    18. 

  18.         return self._make_token_with_timestamp(user, self._num_days(self._today()))
    19. 

  19. 

  20.     def check_token(self, user, token):
    21. 

  21.         """
    22. 

  22.         Check that a password reset token is correct for a given user.
    23. 

  23.         """
    24. 

  24.         # Parse the token
    25. 

  25.         try:
    26. 

  26.             ts_b36, hash = token.split("-")
    27. 

  27.         except ValueError:
    28. 

  28.             return False
    29. 

  29. 

  30.         try:
    31. 

  31.             ts = base36_to_int(ts_b36)
    32. 

  32.         except ValueError:
    33. 

  33.             return False
    34. 

  34. 

  35.         # Check that the timestamp/uid has not been tampered with
    36. 

  36.         if not constant_time_compare(self._make_token_with_timestamp(user, ts), token):
    37. 

  37.             return False
    38. 

  38. 

  39.         # Check the timestamp is within limit
    40. 

  40.         if (self._num_days(self._today()) - ts) > settings.PASSWORD_RESET_TIMEOUT_DAYS:
    41. 

  41.             return False
    42. 

  42. 

  43.         return True
    44. 

  44. 

  45.     def _make_token_with_timestamp(self, user, timestamp):
    46. 

  46.         # timestamp is number of days since 2001-1-1.  Converted to
    47. 

  47.         # base 36, this gives us a 3 digit string until about 2121
    48. 

  48.         ts_b36 = int_to_base36(timestamp)
    49. 

  49. 

  50.         # By hashing on the internal state of the user and using state
    51. 

  51.         # that is sure to change (the password salt will change as soon as
    52. 

  52.         # the password is set, at least for current Django auth, and
    53. 

  53.         # last_login will also change), we produce a hash that will be
    54. 

  54.         # invalid as soon as it is used.
    55. 

  55.         # We limit the hash to 20 chars to keep URL short
    56. 

  56.         key_salt = "django.contrib.auth.tokens.PasswordResetTokenGenerator"
    57. 

  57. 

  58.         # Ensure results are consistent across DB backends
    59. 

  59.         login_timestamp = user.last_login.replace(microsecond=0, tzinfo=None)
    60. 

  60. 

  61.         value = (six.text_type(user.pk) + user.password +
    62. 

  62.                 six.text_type(login_timestamp) + six.text_type(timestamp))
    63. 

  63.         hash = salted_hmac(key_salt, value).hexdigest()[::2]
    64. 

  64.         return "%s-%s" % (ts_b36, hash)
    65. 

  65. 

  66.     def _num_days(self, dt):
    67. 

  67.         return (dt - date(2001, 1, 1)).days
    68. 

  68. 

  69.     def _today(self):
    70. 

  70.         # Used for mocking in tests
    71. 

  71.         return date.today()
    72. 

  72. 

  73. default_token_generator = PasswordResetTokenGenerator()
    74.