default_token_generator.check_token - always True

Just as the title says no matter what I’ve tried this function always returns true which is problematic. I have tried moving the auth_user.date_joined value to last year in hopes that check_token would see this as an expired token. So far no luck.

if user is not None and default_token_generator.check_token(user, token):
user.is_active = True

The date_joined field isn’t used anywhere in the token creation process. The call uses now() for creating it.

If you want to test it, you can change the user or timestamp in the token to determine whether or not it catches the alteration, and you can change the PASSWORD_RESET_TIMEOUT setting to a much shorter window.

Hi Ken,

Thanks for your response. I may not have been clear, but I’m looking at the function check_token and I was hoping that it checks against the date the user was created in order to determine if a token might be expired. I’ve read that the function check_token does check for expiry but wasn’t able to see this occur. In any event I’ve found a workaround rather than using check_token, but if it can indeed check for expired tokens I’d be happy to use it.

It does check for expired tokens - but the check is based upon the time the token is created, not when the user is created. And, the window of time for which the token is valid is based upon the setting PASSWORD_RESET_TIMEOUT.

Which database table/column is used to check the time? Perhaps this is what I’m missing.

It’s not. There’s no table involved in the check. It calculates the current time - the time the token was created (which is part of the token) and checks to see if it’s less than PASSWORD_RESET_TIMEOUT.

What is it exactly that you’re trying to do here? Is it possible that you’re looking for the wrong “thing”?

I think I was misunderstanding the way the token works, however it now makes sense to me.

I set PASSWORD_RESET_TIMEOUT=30 in and now I am seeing that check_token returns false which is great.

Essentially what I’m building is a basic register/activate process in a website where a user receives an email with a link to click and activate their account.

I think the setting you provided is what I was looking for and the other piece I needed to understand was that the creation time was built into the token itself.

Thanks! and hopefully I can get the rest of the functionality working with this information.