How to delete the URLSafeTimedSerializer token after use in python?

Question

I have created a token using python itsdangerous URLSafeTimedSerializer for forgot password functionality. The token is getting expired after the max-age but when the password is reset then i need to expire that token, so that the user is not able to reset password with the token again and again till it is getting expired. So, the question here is how to expire the token after the user resets password?

Answer 1

Despite the comment of @Uber , I understand the question. Also I believe this is more a design question, so posting code would not make that much sense. This time I'll provide an answer, but remember to properly write the question for the future times, e.g. providing a scenario, like your database table and better describing the sequence of activities for resetting the password (see https://stackoverflow.com/help/how-to-ask).

So, say you generate a token via the URLSafeTimedSerializer library as follows:

from itsdanger import URLSafeTimedSerializer
ts = URLSafeTimedSerializer("my-secret-key")
token = ts.dumps(email, salt="my-salt")

In order to expire such token, you have different possibilities:

1. Create a blacklist of already used tokens (not a good idea as it would become too long and you may have clashes when generating tokens).
2. Add a 'token_reset' field to your user table, and store the current valid token there. As soon as the user uses it, delete it from the table. If no token exists for an user, it'll mean that he/she has already used it.
3. Add a timestamp to your token, so that when you get it back (you can decrypt it with the itsdanger library), you know if it has expired or not (though a user may use it twice in 5 minutes).

There may be other ways to solve such problem, but solution #2 is the one used most frequently (from my experience). If other users have other suggestions, feel free to edit this answer.