Fixed #28017 -- Allowed customizing PasswordResetTokenGenerator's secret.

2025-10-27 15:46:10 +00:00 · 2017-05-26 13:37:36 +02:00
parent 2cbb095bec
commit c930c241f8
2 changed files with 23 additions and 0 deletions
--- a/django/contrib/auth/tokens.py
+++ b/django/contrib/auth/tokens.py
@@ -11,6 +11,7 @@ class PasswordResetTokenGenerator:
    reset mechanism.
    """
    key_salt = "django.contrib.auth.tokens.PasswordResetTokenGenerator"
+    secret = settings.SECRET_KEY

    def make_token(self, user):
        """
@@ -61,6 +62,7 @@ class PasswordResetTokenGenerator:
        hash = salted_hmac(
            self.key_salt,
            self._make_hash_value(user, timestamp),
+            secret=self.secret,
        ).hexdigest()[::2]
        return "%s-%s" % (ts_b36, hash)