'What does reset password token protect against?

This is more of a concept question than a specific code one. I am building a web app in Django which almost entirely handles the password reset process. And it had me thinking what does the token do, I'm aware that it checks whether the same email that requested the reset is the one changing the password. But why is this needed If someone tried to send a reset email to someone elses email they would need that emails password to actually change it. Is the token just another layer of protection? Is it necessary?

I also do not understand the way django handles it:

path('password-reset-confirm/<uidb64>/<token>/',
         auth_views.PasswordResetConfirmView.as_view(
             template_name='users/password_reset_confirm.html'
         ),

How does passing the token in here, which is the page you access when the reset email is sent to YOU, make it secure. The latter question isnt as important.

djangotokenreset-password


Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source

Related Questions

Django models | get specific columns

Django models | get specific columns

Django models | get specific columns

Django models | get specific columns

Django models | get specific columns

python: can't open file 'manage.py': [Errno 2] No such file or directory

How to take a zipfile as a File object in django?

How to take a zipfile as a File object in django?

django: invalid syntax path('details/<int:id>/', views.details, name='details')

How do I install an old version of Django on virtualenv?

How to automatically login a user after registration in django

Took too long to shut down and was killed

Override save method of Django Admin

ValueError The QuerySet value for an exact lookup must be limited to one result using slicing on django views

django.core.exceptions.ValidationError: ['“” value must be a decimal number.']