Allow custom JWT algorithm for password reset tokens #1508
Description
env: fastapi_users[sqlalchemy] v14.0.1
python: 3.11.11
from fastapi_users/manager.py
async def forgot_password(
self, user: models.UP, request: Optional[Request] = None
) -> None:
"""
Start a forgot password request.
Triggers the on_after_forgot_password handler on success.
:param user: The user that forgot its password.
:param request: Optional FastAPI request that
triggered the operation, defaults to None.
:raises UserInactive: The user is inactive.
"""
if not user.is_active:
raise exceptions.UserInactive()
token_data = {
"sub": str(user.id),
"password_fgpt": self.password_helper.hash(user.hashed_password),
"aud": self.reset_password_token_audience,
}
token = generate_jwt(
token_data,
self.reset_password_token_secret,
self.reset_password_token_lifetime_seconds,
)
await self.on_after_forgot_password(user, token, request)Description
Currently, the generate_jwt function in the password reset flow hardcodes HS256 as the JWT algorithm (JWT_ALGORITHM = "HS256"). This lacks flexibility and prevents users from choosing more secure alternatives like RS256.
Problem Location
fastapi_users/manager.py (forgot_password/generate_jwt)
All JWT generation that relies on the hardcoded algorithm
Current Behavior
Always uses HS256 with no option to override
token = generate_jwt(token_data, secret, lifetime_seconds)
Expected Behavior
Should allow algorithm customization via:
token = generate_jwt(
token_data,
secret,
lifetime_seconds,
algorithm=configurable_algorithm # New parameter
)