Invalidate token about django-sesame HOT 5 CLOSED

Right now the only way to invalidate a token is to change the user's password. There's several ways to achieve this, which may or may not be practical:

• If the user a usable password, you can ask for it, check it, and set the same password — this is enough to invalidate tokens.
• If the user doesn't have a usable password, you can simply set another unusable password.

Depending on how you're using django-sesame, you may also be able to do something with the recently introduced feature - scoped tokens. The workflow would look like:

• generate a unique scope along with each token
• pass the token and the scope in the URL
• if there's already an entry in the database with that scope, abort
• else, validate the token with the scope and proceed as you currently do
• if the data is valid, store the data and the scope in the database.

Hope this helps!

from django-sesame.

Merci Aymeric!
I have already set unusable passwords, I will do in this way. May be later I will evaluate your proposed workflow.
Thanks!

from django-sesame.

Good, then it's as simple as:

assert user.has_usable_password()  # let's not destroy a password accidentally
user.set_unusable_password()  # change password to invalidate token
user.save()

from django-sesame.

@aaugustin How would one invalidate a token programmatically without having the user give the password? Assuming the user has a usable password.

from django-sesame.

django-sesame doesn't provide a way to do this — because it doesn't store any state beyond what django.contrib.auth already stores, and there's no piece of state that you can alter to get this effect.

from django-sesame.