Support not revoking tokens on password change about django-sesame HOT 5 CLOSED

Tying tokens to passwords is a security feature. From https://github.com/aaugustin/django-sesame#a-few-words-about-security:

Tokens are tied to the primary key and the password of the corresponding user. Changing the password invalidates the token.

From a security perspective, I'm uncomfortable with the idea of non-revocable tokens.

If had to to implement non-expiring tokens, I'd create a table of tokens with a one-to-one relationship with users. That would still allow removing or rotating a token.

That should take less than 50 lines of code: it requires a Token model, a post-save signal on User to create tokens, an admin to manage token and a middleware which can be largely borrowed from django-sesame. I would say it's a different project from django-sesame, though :-)

I'm keeing the issue open because I'd like to think a bit more about it and perhaps clarify the docs.

from django-sesame.

I agree that the majority of cases would be satisfied with your concept, but when you allow social login on your app you do not have a password. then if you want to set up a password, you end up resetting your token. It's probably not really common to use the magic links in bot conversations, but that's our case, and it became a big problem.
We'll figure it out, i just wanted a second opinion.

from django-sesame.

That's a valid use case and indeed one django-sesame doesn't handle very well.

I would find it acceptable to disable token invalidation on password change when SESAME_MAX_AGE is set — or perhaps if it's set to a low value (not more than a few days). If the token expires soon, then it can be reasonable not to invalidate it and simply wait for it to expire. A setting would opt-in to this behavior.

Mostly I'm trying to avoid Giving Users Guns Pointed At Feet :-) such as non-expiring, non-revocable tokens. (At worst you can always change SECRET_KEY but that's brutal).

from django-sesame.

I can add a setting that prevents token invalidation on password change, but would raise an error when SESAME_MAX_AGE isn't set.

from django-sesame.

Magic links seem to be a good use case of django-sesame.

I think the commit I just merged should do what you want.

(You don't get "eternal" tokens because that's a Big Gun Aimed At User's Feet.)

from django-sesame.