social-core
social-core copied to clipboard
python-social-auth
Add settings for mail_validation to allow for reusable and time-expiring codes
We have a number of apps deployed with PSA set up in email authentication mode. For the most part it works okay, but since the introduction of single-use code verification the process falls over for a small number of users:
- User asks for a verification email to log in
- Verification email is sent to the user with a code
- Awful security appliance on user's network intercepts the email/the user's session and visits the link first, eating the session cookie
- Awful security appliance gets a 302 and hands that back to the user
- User gets told that their token has expired and to try again
- Repeat
To fix this, we've added two optional settings:
- EMAIL_VALIDATION_ALLOW_REUSE (bool): validate_email() will not return False for verified codes
- EMAIL_VALIDATION_EXPIRED_THRESHOLD (int): validate_email() will return False if the code has a timestamp and is more than [int] seconds in the past
We've run into this issue with a user; I'm not sure if this is the correct solution, but the PR or an alternate solution should be considered.
