dchest · April 16, 2011 10:29
diff --git a/gistfile1 b/gistfile1
 //
 // Example.
 //
 // Your application must have a strong secret key for password reset purposes.
 This key will be used to generate and verify password reset tokens.  (If you
 already have a secret key, for example, for authcookie package, it's better
 not to reuse it, just use a different one.)

 	secret := []byte("assume we have a long randomly generated secret key here")

 Create a function that will query your users database and return some
 password-related value for the given login.  A password-related value means
 some value that will be changed once a user change their password, for
 example: a password hash, a random salt used to generated it, or time of
 password creation.  This value, mixed with app-specific secret key, will be
 used as a key for password reset token, thus it will be kept secret.
 
 	func getPasswordHash(login string) ([]byte, os.Error) {
 		// return password hash for the login,
 		// or an error if there's no such user
 	}

 When a user initiates password reset (by entering their login, and maybe
 answering a secret question), generate a reset token:

 	pwdval, err := getPasswordHash(login)
 	if err != nil {
 		// user doesn't exists, abort
 		return
 	}
 	// Generate reset token that expires in 12 hours
 	token := passwordreset.NewToken(login, 12*60*60, pwdval, secret)

 Send a link with this token to the user by email, for example:
 www.example.com/reset?token=Talo3mRjaGVzdITUAGOXYZwCMq7EtHfYH4ILcBgKaoWXDHTJOIlBUfcr
 
 Once a user clicks this link, read a token from it, then verify this token
 by passing it to VerifyToken function along with the getPasswordHash
 function, and an app-specific secret key:

 	login, err := passwordreset.VerifyToken(token, getPasswordHash, secret)
 	if err != nil {
 		// verification failed, don't allow password reset
 		return
 	}
 	// OK, reset password for login (e.g. allow to change it)
 
 If verification succeeded, allow to change password for the returned login.
	//
	// Example.
	//
	// Your application must have a strong secret key for password reset purposes.
	This key will be used to generate and verify password reset tokens. (If you
	already have a secret key, for example, for authcookie package, it's better
	not to reuse it, just use a different one.)

	secret := []byte("assume we have a long randomly generated secret key here")

	Create a function that will query your users database and return some
	password-related value for the given login. A password-related value means
	some value that will be changed once a user change their password, for
	example: a password hash, a random salt used to generated it, or time of
	password creation. This value, mixed with app-specific secret key, will be
	used as a key for password reset token, thus it will be kept secret.

	func getPasswordHash(login string) ([]byte, os.Error) {
	// return password hash for the login,
	// or an error if there's no such user
	}

	When a user initiates password reset (by entering their login, and maybe
	answering a secret question), generate a reset token:

	pwdval, err := getPasswordHash(login)
	if err != nil {
	// user doesn't exists, abort
	return
	}
	// Generate reset token that expires in 12 hours
	token := passwordreset.NewToken(login, 126060, pwdval, secret)

	Send a link with this token to the user by email, for example:
	www.example.com/reset?token=Talo3mRjaGVzdITUAGOXYZwCMq7EtHfYH4ILcBgKaoWXDHTJOIlBUfcr

	Once a user clicks this link, read a token from it, then verify this token
	by passing it to VerifyToken function along with the getPasswordHash
	function, and an app-specific secret key:

	login, err := passwordreset.VerifyToken(token, getPasswordHash, secret)
	if err != nil {
	// verification failed, don't allow password reset
	return
	}
	// OK, reset password for login (e.g. allow to change it)

	If verification succeeded, allow to change password for the returned login.