I set up a password reset functional in Django. I wonder how to expire password reset URL after it was used to reset password
Token is generated in as auto destroyed, take a look to _make_hash_value on django auth tokens, I copy here code comments:
Hash the user's primary key and some user state that's sure to change after a password reset to produce a token that invalidated when it's used:
- The password field will change upon a password reset (even if the same password is chosen, due to password salting).
- The last_login field will usually be updated very shortly after a password reset. Failing those things,
settings.PASSWORD_RESET_TIMEOUT_DAYSeventually invalidates the token. Running this data throughsalted_hmac()prevents password cracking attempts using the reset token, provided the secret isn't compromised.