diff options
| author | Tim Graham <timograham@gmail.com> | 2017-10-12 14:58:18 -0400 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2017-10-12 14:58:18 -0400 |
| commit | 0edff2107f9cdd89737d2d33d1a40362ecde894c (patch) | |
| tree | 5cdf07cafd102e914520af5951b6a00cac7213e5 /django | |
| parent | f90be0a83ef5aa333b19e259faab73ee117d5339 (diff) | |
Refs #28248 -- Clarified the precision of PASSWORD_RESET_TIMEOUT_DAYS.
Diffstat (limited to 'django')
| -rw-r--r-- | django/contrib/auth/tokens.py | 6 |
1 files changed, 5 insertions, 1 deletions
diff --git a/django/contrib/auth/tokens.py b/django/contrib/auth/tokens.py index eefa00c330..2272cd2415 100644 --- a/django/contrib/auth/tokens.py +++ b/django/contrib/auth/tokens.py @@ -41,7 +41,11 @@ class PasswordResetTokenGenerator: if not constant_time_compare(self._make_token_with_timestamp(user, ts), token): return False - # Check the timestamp is within limit + # Check the timestamp is within limit. Timestamps are rounded to + # midnight (server time) providing a resolution of only 1 day. If a + # link is generated 5 minutes before midnight and used 6 minutes later, + # that counts as 1 day. Therefore, PASSWORD_RESET_TIMEOUT_DAYS = 1 means + # "at least 1 day, could be up to 2." if (self._num_days(self._today()) - ts) > settings.PASSWORD_RESET_TIMEOUT_DAYS: return False |
