不是很喜欢打我的数据库来存储令牌的想法，尤其是当您要为许多操作创建和验证令牌时.

Didn't really like the idea of hitting my database to store tokens, especially when you want to be creating and verifying tokens for many actions.

相反，我决定复制 Django的操作方式:

• 将timestamp_today转换为base36作为today
• 将user.id转换为ident到base36
• 创建包含以下内容的hash:
  • timestamp_today
  • user.id
  • user.last_login
  • user.password
  • user.email
  • convert timestamp_today to base36 as today
  • convert user.id to base36 as ident
  • create hash containing:
    • timestamp_today
    • user.id
    • user.last_login
    • user.password
    • user.email

    我们测试req.params.timestamp只是为了简单地测试它是否对今天有效，首先要进行最便宜的测试.首先失败.

    We test the req.params.timestamp in order to simply test if it's valid for today, cheapest test first. fail first.

    然后我们找到用户，如果该用户不存在，则失败.

    Then we find the user, fail if it doesn't exist.

    然后我们再次从上方生成哈希，但时间戳来自req.params

    Then we generate the hash again from above, but with the timestamp from req.params

    如果，重置链接将无效:

    The reset link becomes invalid if :

    • 他们记住了他们的密码和登录名(last_login更改)
    • 他们实际上仍在登录，并且:
      • 只需更改密码(更改密码)
      • 只需更改他们的电子邮件(更改电子邮件)
      • they remember their password and login (last_login changes)
      • they're actually still logged in and:
        • just change their password (password changes)
        • just change their email (email changes)

        这种方式:

        • 您没有将这些短暂的东西存储在数据库中
        • 当令牌的目的是更改事物的状态，并且事物的状态已更改时，令牌的目的就不再安全相关.