Email verification and forgot password verification tokens should expire

[Christopher Allan Webber]

Email verification should expire after 30 days and forgot password verification should expire after 7.

Things that should be done:

• These fields should be added but not required
• Views should be modified to add these expiration fields when adding the tokens
• Views should be modified to check the expiration fields before using
• A migration should be added...
  • fields without verification keys should just have the email_verification_expires and/or fp_verification_expires set to None
  • fields with verification keys should set them to a timedelta from today

You can set these fields via a timedelta:

>>> import datetime
>>> datetime.datetime.now() + datetime.timedelta(days=10)
datetime.datetime(2011, 7, 4, 8, 41, 8, 502139)

[Christopher Allan Webber]

This issue is blocked by and follows http://bugs.foocorp.net/issues/357, marked that appropriately.

[Elrond]

If email verification expires, the account should be deleted. Either automatically, or by some "gmg cleanup" command or so. But this is maybe a new ticket. I just wanted to note this down somewhere.

[Christopher Allan Webber]

Hm, is that something we really want to do? I'm not sure that too many projects do that. I think that users should be able to re-request email authorization, maybe?

[Will Kahn-Greene]

The original url for this bug was ​http://bugs.foocorp.net/issues/394 .
Relations:
#72: blocked

[Christopher Allan Webber]

I think that auto-expiry should definitely happen via a plugin, if people want it. I'm wary of that happening on its own.

As for the rest of this, someone just needs to pick up the ticket.

[Christopher Allan Webber]

Relatedly, #668 should help us solve this. itsdangerous would be perfect for this.

[Christopher Allan Webber]

And with rodney's branch on #624 done, this is accomplished!