0
Assuming I’m already using the library django.contrib.auth.tokens.default_token_generator
generating tokens to reset a user’s password, and
want to use the same method to activate the user, or for any other similar service, there are the following risks?
- Reveal unwanted details to the user as id or hash of the database persisted password;
- Once a token 'X' is generated in a given action, such as resetting the password, the user can use this token for another action, such as enabling the user;
Once a new token is generated for the user, previous tokens from the same user remain active.
Although they partially clarified my doubts in this question I still can’t tell how a token remains activated or disabled without persistence in a database, it would be by updating the field
last_login
user’s?However I would definitely like to understand the logic behind this method to understand the risks and benefits in production.