Merge pull request #2935 from coreos-inc/joseph.schorr/QS-80/password-reset-expire
Add maximum lifetime of 30m on password recovery tokens
This commit is contained in:
josephschorr
GitHub
commit
b2db266747
3 changed files with 33 additions and 2 deletions
|
|
@ -507,19 +507,26 @@ def create_reset_password_email_code(email):
|
|||
|
||||
|
||||
def validate_reset_code(code):
|
||||
# Find the reset code.
|
||||
try:
|
||||
code = EmailConfirmation.get(EmailConfirmation.code == code,
|
||||
EmailConfirmation.pw_reset == True)
|
||||
except EmailConfirmation.DoesNotExist:
|
||||
return None
|
||||
|
||||
# Make sure the code is not expired.
|
||||
max_lifetime_duration = convert_to_timedelta(config.app_config['USER_RECOVERY_TOKEN_LIFETIME'])
|
||||
if code.created + max_lifetime_duration < datetime.now():
|
||||
code.delete_instance()
|
||||
return None
|
||||
|
||||
# Verify the user and return the code.
|
||||
user = code.user
|
||||
if not user.verified:
|
||||
user.verified = True
|
||||
user.save()
|
||||
|
||||
code.delete_instance()
|
||||
|
||||
return user
|
||||
|
||||
|
||||
|
|
|
|||
Reference in a new issue