Can someone walk me through what's happening in flask-security's password reset token? The code is here on github:
https://github.com/mattupstate/flask-security/blob/develop/flask_security/recoverable.py
(There may be other parts up a directory.)
My understanding of what's happening:
Is that correct?
Also:
I'm most specifically confused by the generate_password_reset function
data = [str(user.id), md5(user.password)]
return _security.reset_serializer.dumps(data)
and the
get_token_status(token, 'reset', 'RESET_PASSWORD')
function inside reset_password_token_status(token)
A token is a one-time generated link that contains numbers and letters that'll allow you to reset your password. It cannot be reused and is only valid for seven days.
It is using the itsdangerous
module to serialize the token. If you read more about it below, you will have your answers on how expiration timestamp is used etc.
http://packages.python.org/itsdangerous/
The function serializer.dumps()
creates a unique serialized string and serializer.loads()
which is called by get_token_status
will return exceptions unless the exact serialized value is provided to it as parameter.
So you dumps()
and then using the return value from that, you calls loads()
. If does not match, you have exception which in this case means bad token.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With