Add maximum lifetime of 30m on password recovery tokens
Fixes https://jira.coreos.com/browse/QS-80
This commit is contained in:
Joseph Schorr
parent
d405f6f158
commit
5dd95038cf
3 changed files with 33 additions and 2 deletions
|
|
@ -508,19 +508,26 @@ def create_reset_password_email_code(email):
|
|||
|
||||
|
||||
def validate_reset_code(code):
|
||||
# Find the reset code.
|
||||
try:
|
||||
code = EmailConfirmation.get(EmailConfirmation.code == code,
|
||||
EmailConfirmation.pw_reset == True)
|
||||
except EmailConfirmation.DoesNotExist:
|
||||
return None
|
||||
|
||||
# Make sure the code is not expired.
|
||||
max_lifetime_duration = convert_to_timedelta(config.app_config['USER_RECOVERY_TOKEN_LIFETIME'])
|
||||
if code.created + max_lifetime_duration < datetime.now():
|
||||
code.delete_instance()
|
||||
return None
|
||||
|
||||
# Verify the user and return the code.
|
||||
user = code.user
|
||||
if not user.verified:
|
||||
user.verified = True
|
||||
user.save()
|
||||
|
||||
code.delete_instance()
|
||||
|
||||
return user
|
||||
|
||||
|
||||
|
|
|
|||
Reference in a new issue