Invalidate token

[thomascenni]

Hi, is it possible to invalidate the token before its expiration ? My use case is that a user fill a form (wizard) and at the end of the wizard, if the data are valid, they are stored in the db and the token must be invalidated. Thanks.

[aaugustin]

Right now the only way to invalidate a token is to change the user's password. There's several ways to achieve this, which may or may not be practical:

• If the user a usable password, you can ask for it, check it, and set the same password — this is enough to invalidate tokens.
• If the user doesn't have a usable password, you can simply set another unusable password.

Depending on how you're using django-sesame, you may also be able to do something with the recently introduced feature - scoped tokens. The workflow would look like:

• generate a unique scope along with each token
• pass the token and the scope in the URL
• if there's already an entry in the database with that scope, abort
• else, validate the token with the scope and proceed as you currently do
• if the data is valid, store the data and the scope in the database.

Hope this helps!

[thomascenni]

Merci Aymeric! I have already set unusable passwords, I will do in this way. May be later I will evaluate your proposed workflow. Thanks!

[aaugustin]

Good, then it's as simple as:

assert user.has_usable_password()  # let's not destroy a password accidentally
user.set_unusable_password()  # change password to invalidate token
user.save()

[Mapiarz]

@aaugustin How would one invalidate a token programmatically without having the user give the password? Assuming the user has a usable password.

[aaugustin]

django-sesame doesn't provide a way to do this — because it doesn't store any state beyond what django.contrib.auth already stores, and there's no piece of state that you can alter to get this effect.