Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Explanation of the token-based password-reset functionality in Flask-Security

Tags:

python

flask

token

flask-extensions

password-recovery

Can someone walk me through what's happening in flask-security's password reset token? The code is here on github:

https://github.com/mattupstate/flask-security/blob/develop/flask_security/recoverable.py

(There may be other parts up a directory.)

My understanding of what's happening:

  1. In the route defined by forgot_password() user submits a form to reset password
  2. A "reset_password_token" is generated. This consists of the user's ID + an md5() of the user's current (stored-encrypted) password?
  3. A link is generated to a reset password address containing the token.
  4. This link is emailed to the address given by user.email
  5. When the user clicks that link, they go to a route (defined in views), which is reset_password(token). The token value is an argument to this route.
  6. The route evaluates whether the token is valid and not expired.
  7. If so, this route renders a form asking for a new password, ResetPasswordForm().

Is that correct?

Also:

  1. If above is correct, is it safe to make the token contain a new md5() of the current password? I know it should be unique and costly to reverse, but still?
  2. Where is the expiration date stored?

I'm most specifically confused by the generate_password_reset function

data = [str(user.id), md5(user.password)] return _security.reset_serializer.dumps(data)

and the

get_token_status(token, 'reset', 'RESET_PASSWORD') function inside reset_password_token_status(token)

like image 923
Mittenchops Avatar asked Dec 16 '12 23:12

Mittenchops

People also ask

What is token in resetting password?

A token is a one-time generated link that contains numbers and letters that'll allow you to reset your password. It cannot be reused and is only valid for seven days.

1 Answers

It is using the itsdangerous module to serialize the token. If you read more about it below, you will have your answers on how expiration timestamp is used etc.

http://packages.python.org/itsdangerous/

The function serializer.dumps() creates a unique serialized string and serializer.loads() which is called by get_token_status will return exceptions unless the exact serialized value is provided to it as parameter.

So you dumps() and then using the return value from that, you calls loads(). If does not match, you have exception which in this case means bad token.

like image 138
codegeek Avatar answered Oct 01 '22 03:10

codegeek
Sign in to Comment

Related questions

How to parse single file using Python bindings to Clang?
Sublime Text2 Import error: No module named Gnuplot
possible to raise exception that includes non-english characters in python 2?
Commit existing journal file in SQLite from prior terminated connection to database
What do tab colors mean in PyCharm?
pandas's resample with fill_method: Need to know data from which row was copied?
Python pytz: what happens if a country does away with DST?
SWIG Python - wrapping a function that expects a double pointer to a struct
Namespace packages and pip install -e
Secure Python chat with SSH - How?
carving 2D numpy array by index
Cookies using Python and Google App Engine
python string ' " ' : single double quote inside string
How to do a while ( x < y ) in jinja2
Python- How to find the average of multiple values/key in a dictionary
Processing only non-blank lines
Sending form data to aspx page
efficiently computing parafac / CP product in numpy
Iterative deletion from list (Python 2)
reconstruction figure legend in pandas

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!