Opened 13 years ago

Closed 11 years ago

#107 closed defect (fixed)

Email verification and forgot password verification tokens should expire

Reported by: Christopher Allan Webber Owned by:
Priority: minor Milestone:
Component: programming Keywords:
Cc: Stephen Compall Parent Tickets:

Description (last modified by Christopher Allan Webber)

Email verification should expire after 30 days and forgot password
verification should expire after 7.

Things that should be done:


-  These fields should be added but not required
-  Views should be modified to add these expiration fields when
   adding the tokens
-  Views should be modified to check the expiration fields before
   using
-  A migration should be added...
   
   -  fields without verification keys should just have the
      email\_verification\_expires and/or fp\_verification\_expires set
      to None
   -  fields with verification keys should set them to a timedelta
      from today


You can set these fields via a timedelta:

::

    >>> import datetime
    >>> datetime.datetime.now() + datetime.timedelta(days=10)
    datetime.datetime(2011, 7, 4, 8, 41, 8, 502139)



Change History (8)

comment:1 by Christopher Allan Webber, 13 years ago

This issue is blocked by and follows
`http://bugs.foocorp.net/issues/357 <http://bugs.foocorp.net/issues/357>`_,
marked that appropriately.



comment:2 by Elrond, 13 years ago

If email verification expires, the account should be deleted.
Either automatically, or by some "gmg cleanup" command or so.
But this is maybe a new ticket. I just wanted to note this down
somewhere.



comment:3 by Christopher Allan Webber, 13 years ago

Hm, is that something we really want to do? I'm not sure that too
many projects do that. I think that users should be able to
re-request email authorization, maybe?



comment:4 by Will Kahn-Greene, 12 years ago

The original url for this bug was http://bugs.foocorp.net/issues/394 .
Relations:
#72: blocked

comment:5 by Christopher Allan Webber, 11 years ago

Component: programming
Description: modified (diff)

I think that auto-expiry should definitely happen via a plugin, if people want it. I'm wary of that happening on its own.

As for the rest of this, someone just needs to pick up the ticket.

comment:6 by Stephen Compall, 11 years ago

Cc: Stephen Compall added

comment:7 by Christopher Allan Webber, 11 years ago

Relatedly, #668 should help us solve this. itsdangerous would be perfect for this.

comment:8 by Christopher Allan Webber, 11 years ago

Resolution: fixed
Status: acceptedclosed

And with rodney's branch on #624 done, this is accomplished!

Note: See TracTickets for help on using tickets.