自定义 Django 密码重置 - Link 不会失效
Custom Django Password Reset - Link does not get invalidated
我知道一次性 link 密码重置应该按照此处给出的电子邮件密码更改程序失效 enter link description here。然而,在我下面的实现中,虽然 link 每次都可以重置密码,但它不会失效。 link 每次都有效。这可能是什么原因?
(我还看到最后一次登录时间戳也在我正在更改密码的特定用户的管理页面中更新)
(forms.py)
from django.contrib.auth.forms import UserCreationForm, SetPasswordForm
from django.contrib.auth import get_user_model
class ResetPasswordForm(SetPasswordForm):
class Meta:
model = get_user_model()
fields = ('password1', 'password2')
(tokens.py)
from django.contrib.auth.tokens import PasswordResetTokenGenerator import six
class AccountActivationTokenGenerator(PasswordResetTokenGenerator):
def _make_hash_value(self, user, timestamp):
return (
six.text_type(user.pk) + six.text_type(timestamp) +
six.text_type(user.email_confirmed)
)
account_activation_token = AccountActivationTokenGenerator()
(views.py)
def activate_forgot_password(request, uidb64, token):
try:
uid = force_text(urlsafe_base64_decode(uidb64))
User = get_user_model()
user = User.objects.get(pk=uid)
except (TypeError, ValueError, OverflowError, User.DoesNotExist):
user = None
if user is not None and account_activation_token.check_token(user, token):
if request.method == 'POST':
form = ResetPasswordForm(user, request.POST)
if form.is_valid():
user = form.save(commit=False)
print(user.password)
user.save()
login(request, user, backend='mysite.signup.views.EmailBackend')
return redirect('home')
else:
form = ResetPasswordForm(user)
return render(request,
'change_password.html',
{'form': form,
'uidb64': uidb64,
'token': token})
return render(request, 'account_forgot_password_token_invalid.html')
(template.html)
<form id="ResetPasswordForm" method="post" action="{% url 'activate_forgot_password' uidb64=uidb64 token=token %}" validate>
{% csrf_token %}
.
.
.
<div class="form-group">
<button type="submit" id="btn-signup" class="btn btn-block btn-primary btn-lg">Change Password</button>
</div>
</form>
_make_hash_value 方法中的字段从未更新,link 仍然有效,直到分配的字段之一更新或令牌超时,您可以添加更多字段以确保将触发更改像 user.last_login 甚至 user.password
我知道一次性 link 密码重置应该按照此处给出的电子邮件密码更改程序失效 enter link description here。然而,在我下面的实现中,虽然 link 每次都可以重置密码,但它不会失效。 link 每次都有效。这可能是什么原因?
(我还看到最后一次登录时间戳也在我正在更改密码的特定用户的管理页面中更新)
(forms.py)
from django.contrib.auth.forms import UserCreationForm, SetPasswordForm
from django.contrib.auth import get_user_model
class ResetPasswordForm(SetPasswordForm):
class Meta:
model = get_user_model()
fields = ('password1', 'password2')
(tokens.py)
from django.contrib.auth.tokens import PasswordResetTokenGenerator import six
class AccountActivationTokenGenerator(PasswordResetTokenGenerator):
def _make_hash_value(self, user, timestamp):
return (
six.text_type(user.pk) + six.text_type(timestamp) +
six.text_type(user.email_confirmed)
)
account_activation_token = AccountActivationTokenGenerator()
(views.py)
def activate_forgot_password(request, uidb64, token):
try:
uid = force_text(urlsafe_base64_decode(uidb64))
User = get_user_model()
user = User.objects.get(pk=uid)
except (TypeError, ValueError, OverflowError, User.DoesNotExist):
user = None
if user is not None and account_activation_token.check_token(user, token):
if request.method == 'POST':
form = ResetPasswordForm(user, request.POST)
if form.is_valid():
user = form.save(commit=False)
print(user.password)
user.save()
login(request, user, backend='mysite.signup.views.EmailBackend')
return redirect('home')
else:
form = ResetPasswordForm(user)
return render(request,
'change_password.html',
{'form': form,
'uidb64': uidb64,
'token': token})
return render(request, 'account_forgot_password_token_invalid.html')
(template.html)
<form id="ResetPasswordForm" method="post" action="{% url 'activate_forgot_password' uidb64=uidb64 token=token %}" validate>
{% csrf_token %}
.
.
.
<div class="form-group">
<button type="submit" id="btn-signup" class="btn btn-block btn-primary btn-lg">Change Password</button>
</div>
</form>
_make_hash_value 方法中的字段从未更新,link 仍然有效,直到分配的字段之一更新或令牌超时,您可以添加更多字段以确保将触发更改像 user.last_login 甚至 user.password