U [+d@sPddlmZddlmZddlmZmZddlmZmZGdddZ e Z dS))datetime)settings)constant_time_compare salted_hmac) base36_to_int int_to_base36c@seZdZdZdZdZdZdZddZddZ dd Z e e e Z d d Z d d Ze e eZddZddZddZddZddZddZdS)PasswordResetTokenGeneratorza Strategy object used to generate and check tokens for the password reset mechanism. z6django.contrib.auth.tokens.PasswordResetTokenGeneratorNcCs|jpd|_dS)Nsha256) algorithmselfr >/tmp/pip-unpacked-wheel-n7e__lmp/django/contrib/auth/tokens.py__init__sz$PasswordResetTokenGenerator.__init__cCs |jp tjSN)_secretrZ SECRET_KEYr r r r _get_secretsz'PasswordResetTokenGenerator._get_secretcCs ||_dSr)r)r secretr r r _set_secretsz'PasswordResetTokenGenerator._set_secretcCs|jdkrtjS|jSr)_secret_fallbacksrZSECRET_KEY_FALLBACKSr r r r_get_fallbackss z*PasswordResetTokenGenerator._get_fallbackscCs ||_dSr)r)r Z fallbacksr r r_set_fallbacks#sz*PasswordResetTokenGenerator._set_fallbackscCs|||||jS)zi Return a token that can be used once to do a password reset for the given user. )_make_token_with_timestamp _num_seconds_nowr)r userr r r make_token(s  z&PasswordResetTokenGenerator.make_tokencCs|r|s dSz|d\}}Wntk r4YdSXz t|}Wntk rXYdSX|jf|jD]}t|||||rhqqhdS|||t j krdSdS)zP Check that a password reset token is correct for a given user. F-T) split ValueErrorrrsecret_fallbacksrrrrrZPASSWORD_RESET_TIMEOUT)r rtokents_b36_tsrr r r check_token3s(  z'PasswordResetTokenGenerator.check_tokencCs>t|}t|j|||||jdddd}d||fS)N)rr z%s-%s)rrkey_salt_make_hash_valuer hexdigest)r r timestamprr"Z hash_stringr r rrTs  z6PasswordResetTokenGenerator._make_token_with_timestampcCsR|jdkrdn|jjddd}|}t||dp4d}|j|j|||S)a Hash the user's primary key, email (if available), and some user state that's sure to change after a password reset to produce a token that is invalidated when it's used: 1. The password field will change upon a password reset (even if the same password is chosen, due to password salting). 2. The last_login field will usually be updated very shortly after a password reset. Failing those things, settings.PASSWORD_RESET_TIMEOUT eventually invalidates the token. Running this data through salted_hmac() prevents password cracking attempts using the reset token, provided the secret isn't compromised. Nr) microsecondtzinfo)Z last_loginreplaceZget_email_field_namegetattrpkpassword)r rr*Zlogin_timestampZ email_fieldemailr r rr(bsz,PasswordResetTokenGenerator._make_hash_valuecCst|tdddS)Ni)intr total_seconds)r dtr r rr|sz(PasswordResetTokenGenerator._num_secondscCstSr)rnowr r r rrsz PasswordResetTokenGenerator._now)__name__ __module__ __qualname____doc__r'r rrrrrpropertyrrrr rr%rr(rrr r r rrs$   !rN) rZ django.confrZdjango.utils.cryptorrZdjango.utils.httprrrZdefault_token_generatorr r r rs  |