On Wed, Nov 7, 2012 at 12:06 AM, Russell Keith-Magee <[email protected]> wrote: > Hi Eric, > > Although the full stack trace would confirm it, I think I can guess what the > problem is here -- it's the mechanism for generating reset tokens. > > If you dig into the token generation (and reversal) mechanisms, they use > int_to_base36 and base36_to_int to convert the user's primary key into > something that can be used as a reversible, text-based identifier of the > user object that isn't the literal identifier itself. This identifier is > then used as part of the password reset token (along with a timestamp > component and a component based on the last login timestamp) > > A base36 encoding of an integer produces a nice reversible alphanumeric > representation of the integer primary key that can be used in this reset > token. > > So, yes -- non-integer primary keys will have a problem with any of the > password reset or account activation logic. These should (he says, > hopefully) be the only views that are affected. > > One of the big features for Django 1.5 is the introduction of swappable user > models. However, even with that change, we've maintained the requirement > that the User model has an integer primary key > > That said, I'm not personally opposed to dropping this requirement -- we > just need to find a way to abstract the PK-dependent tokenization part in a > useful way. As an initial thought, this is something that we could abstract > out to the token generator API; the token generator is already customisable > in the password reset views. However, I'm certainly open to other > approaches.
The token generator API looks very similar to the cryptographic signing API. The password reset views can be updated to use signing instead. In fact I rewrote the password reset views using class-based views and signing [0] and they ended up working very well even when using an external authentication system instead of contrib.auth. I also got rid of the base36 conversion in the process but this could be added back with customization hooks. It seems the auth views could benefit from such a conversion. [0] http://pypi.python.org/pypi/django-password-reset Bruno -- You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/django-developers?hl=en.
