在python中生成重置令牌的最佳方法是什么? [英] what is the best way to generate a reset token in python?

问题描述

我正在尝试进行密码重置的验证过程，我使用了两个值:时期，并且我想使用用户的旧密码(pbkdf2)作为密钥，

I'm trying to make a validation process for a password reset, what i've used are two values: the epoch time, and i want to use the users's old password (pbkdf2) as a key,

由于我不想获取非ASCII字符，因此我使用了 SimpleEncode库因为它很快，因为它只是使用了密钥的BASE64，但是问题是密码太长(196个字符)，所以我得到了一个长密钥！

Since i dont want to get non ASCII characters, i've used SimpleEncode library because it's fast since it's only a BASE64 with a key used, but the problem is that the password is too long (196 chars) so i get a long key!

我所做的是将结果分割为code = simpleencode.encode(key,asci)[::30]，但这不是唯一的！

What i've done is split the result code = simpleencode.encode(key,asci)[::30], but this will not be unique!

要想知道它是如何工作的，我尝试了Facebook重置过程，但是给出的是一个数字！因此该过程如何进行，难道他们不使用密钥来使某人很难伪造一个链接来重置某人的密码吗?

To get an idea how it works, i've tried Facebook reset process, but what is given is a number! so how this process works, don't they use a key to make it hard for someone to forge a link to reset someone's password?

更新:算法将如何工作:

Update: how the algorithme will work:

1-使用epoche time.time()

1- get the time using epoche time.time()

2-生成epoche时间的Base64(用于URL)和纪元时间值+一个密钥，该密钥是PBKDF2(密码).

2- generate the Base64 of the epoche time (to use for the URL) and the epoch time value + a key, this key is PBKDF2(password).

3-生成URL www.example.com/reset/user/Base64(time.time())并发送此URL + simpleencode.encode(key,asci)[::30]

3- generate the url www.example.com/reset/user/Base64(time.time()) and send this URL + the simpleencode.encode(key,asci)[::30]

4-当用户单击URL时，他将生成的代码放入该生成的代码中，如果该生成的代码与URL匹配，则让他修改密码，否则，这是一个忘记URL！

4- when the user clicks on the URL, he put the generated code, this generated code, if it matches with the URL, then let him modifiy the password, else, it is a forget URL!

推荐答案

不确定这是最好的方法，但是我可能只是生成一个UUID4，可以在URL中使用它来重置密码，并在"n'的时间.

Not sure it's the best way, but I'd probably just generate a UUID4, which can be used in a URL to reset the password and expire it after 'n' amount of time.

>>> import uuid
>>> uuid.uuid4().hex
'8c05904f0051419283d1024fc5ce1a59'

您可以使用 http://redis.io 之类的东西来持有该密钥，并使用适当的用户ID值并设置其时间为了生活.因此，当> http://example.com/password-reset/8c05904f0051419283d1024fc5ce1a59 进来时，它看起来是否有效，然后允许更改以设置新密码.

You could use something like http://redis.io to hold that key, with a value of the appropriate user ID and set its time to live. So, when something comes in from http://example.com/password-reset/8c05904f0051419283d1024fc5ce1a59 it looks to see if it's valid and if so then allows changes to set a new password.

如果您确实想要验证码"，则将其与令牌一起存储，一个小的随机密钥，例如:

If you did want a "validation pin", then store along with the token, a small random key, eg:

>>> from string import digits
>>> from random import choice
>>> ''.join(choice(digits) for i in xrange(4))
'2545'

并请求在重置链接上输入.

And request that be entered on the reset link.

这篇关于在python中生成重置令牌的最佳方法是什么?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！