Will upgrade to Django3.2 break password reset tokens?

elgin9507 · August 17, 2022, 1:26pm

I have seen below note in Django 3.2 release notes. This relevant commit updated making hash value algorithm based on user and timestamp. It now includes user email as well compared to previous version:

return f'{user.pk}{user.password}{login_timestamp}{timestamp}{email}'

Previously (v3.1) it was:

return str(user.pk) + user.password + str(login_timestamp) + str(timestamp)

So I am worrying that upgrading from Django 3.1 to 3.2 will break my existing password reset tokens. It’s weird that this incompatibility is not mentioned in 3.2 release notes. Or maybe I am wrong about assuming this change incompatible?

KenWhitesell · August 17, 2022, 2:04pm

It probably does - but is it really a problem?

Those password reset tokens have a limited lifespan, and you can always request a new token.

elgin9507 · August 17, 2022, 2:12pm

Unfortunately, the situation is not that simple. We inherited Django’s PasswordResetTokenGenerator for generating user account activation token as well. We also overrode it to increase expiration time and make it configurable via admin panel. So, configured expiration time for some users is more than a month…

Topic		Replies	Views
Django - Set expiry to reset password token Using Django	3	1559	May 11, 2020
Django PasswordResetTokenGenerator Forms & APIs	1	9542	December 27, 2020
How can one generate password reset URLS? Using Django	3	9539	May 19, 2020
any reason for password field change Using Django	2	513	January 8, 2021
Unable to use password reset via auth_views.PasswordResetConfirmView to login Mystery Errors	10	5562	June 24, 2022

Will upgrade to Django3.2 break password reset tokens?

Related topics