tokens.py - Parse the token Check that the timestamp/uid ha…

/django/contrib/auth/tokens.py

https://github.com/blacktear23/django · Python · 82 lines · 42 code · 13 blank · 27 comment · 7 complexity · 46605cb9696e40a1e94ac223e9b2b6c4 MD5 · raw file

from datetime import date

from django.conf import settings
from django.utils.hashcompat import sha_constructor
from django.utils.http import int_to_base36, base36_to_int
from django.utils.crypto import constant_time_compare, salted_hmac

class PasswordResetTokenGenerator(object):
    """
    Strategy object used to generate and check tokens for the password
    reset mechanism.
    """
    def make_token(self, user):
        """
        Returns a token that can be used once to do a password reset
        for the given user.
        """
        return self._make_token_with_timestamp(user, self._num_days(self._today()))

    def check_token(self, user, token):
        """
        Check that a password reset token is correct for a given user.
        """
        # Parse the token
        try:
            ts_b36, hash = token.split("-")
        except ValueError:
            return False

        try:
            ts = base36_to_int(ts_b36)
        except ValueError:
            return False

        # Check that the timestamp/uid has not been tampered with
        if not constant_time_compare(self._make_token_with_timestamp(user, ts), token):
            # Fallback to Django 1.2 method for compatibility.
            # PendingDeprecationWarning <- here to remind us to remove this in
            # Django 1.5
            if not constant_time_compare(self._make_token_with_timestamp_old(user, ts), token):
                return False

        # Check the timestamp is within limit
        if (self._num_days(self._today()) - ts) > settings.PASSWORD_RESET_TIMEOUT_DAYS:
            return False

        return True

    def _make_token_with_timestamp(self, user, timestamp):
        # timestamp is number of days since 2001-1-1.  Converted to
        # base 36, this gives us a 3 digit string until about 2121
        ts_b36 = int_to_base36(timestamp)

        # By hashing on the internal state of the user and using state
        # that is sure to change (the password salt will change as soon as
        # the password is set, at least for current Django auth, and
        # last_login will also change), we produce a hash that will be
        # invalid as soon as it is used.
        # We limit the hash to 20 chars to keep URL short
        key_salt = "django.contrib.auth.tokens.PasswordResetTokenGenerator"
        value = unicode(user.id) + \
            user.password + user.last_login.strftime('%Y-%m-%d %H:%M:%S') + \
            unicode(timestamp)
        hash = salted_hmac(key_salt, value).hexdigest()[::2]
        return "%s-%s" % (ts_b36, hash)

    def _make_token_with_timestamp_old(self, user, timestamp):
        # The Django 1.2 method
        ts_b36 = int_to_base36(timestamp)
        hash = sha_constructor(settings.SECRET_KEY + unicode(user.id) +
                               user.password + user.last_login.strftime('%Y-%m-%d %H:%M:%S') +
                               unicode(timestamp)).hexdigest()[::2]
        return "%s-%s" % (ts_b36, hash)

    def _num_days(self, dt):
        return (dt - date(2001,1,1)).days

    def _today(self):
        # Used for mocking in tests
        return date.today()

default_token_generator = PasswordResetTokenGenerator()