Opened 8 years ago

Closed 7 years ago

#624 closed enhancement (fixed)

Consider using itsdangerous for mail tokens.

Reported by: Elrond Owned by:
Priority: minor Milestone: 0.5.0
Component: programming Keywords: bitesized
Cc: Christopher Allan Webber Parent Tickets:

Description

itsdangerous is an interesting package to use crypto to stop us using local storage for things.

There are two major use cases:

  1. For verification tokens in the emails.
  2. For sessions.

the tokens are quite easy. I have a "proof of concept" branch at elrond/itsdangerous. The sessions aren't too complex either, but need some more thinking and some decisions.

We need to make up our mind: Do we want this?

Note: #580 might be related, because we are considering to drop beaker.

Subtickets

Change History (14)

comment:1 Changed 8 years ago by Elrond

Okay, some notes on my branch:

I have stopped working on it for now.
If someone wants to continue on this:

  • Need to implement this also for the forgot password thing.
  • Need to drop all the unneeded columns from the db
  • Need harder permissions on the secrets file.
  • Cleanup expiration times
  • Make sure the testsuite works.

All of this is probably quite easy, so if you want to consider it, talk to me.

Last edited 8 years ago by Elrond (previous) (diff)

comment:2 Changed 8 years ago by Elrond

Keywords: review added
Owner: set to Christopher Allan Webber
Status: newassigned

Okay, I have reworked my branch (rebased, force updated).

It currently only contains the basic infrastructure for itsdangerous.

This is needed for #668, so please review for merging.

Please do not close after merging, because I still have the itsdangerous based email tokens in a local branch and we likely want those too or should discuss that.

comment:3 Changed 8 years ago by Christopher Allan Webber

Owner: changed from Christopher Allan Webber to Elrond

So, the elrond + bretts itsdangerous main branch has been merged. I'm passing this back to Elrond; I think the email tokens stuff is next to get this ticket wrapped up.

comment:4 Changed 8 years ago by Christopher Allan Webber

Keywords: review removed

Removing review keyword for now.

comment:5 Changed 8 years ago by Elrond

Keywords: bitesized added
Milestone: 0.4.0
Owner: Elrond deleted
Priority: majorminor

I have a local, quick and dirty implementation of the email tokens.

If someone (hey, this is quite easy, maybe bitesized?) wants to improve my work (I think, I posted some notes above) and port this for forget password tokens, ping me and I'll post my branch somewhere public (and nicely rebased).

I'm tagging this bitesized, because we could need some bitesized tasks currently.

comment:6 Changed 8 years ago by bukosabino

itsdangerous is worked for verifications tokens in emails (register and forgot password), without saving the token in user.verification_key, user.fp_verification_key and user.fp_token_expire fields.

I need to debate with Elrond how implements itsdangerous in sessions.

comment:7 Changed 7 years ago by Christopher Allan Webber

Status: assignedaccepted

We're using this for sessions, but I guess not verification tokens? Should that be its own ticket? Should this be closed out?

comment:8 Changed 7 years ago by Elrond

Hi bukosabino,

sessions are done by now!

Where's your work on forget password, etc?

comment:9 Changed 7 years ago by Elrond

Hi Chris,

I think, this ticket has become the "itsdangerous for mails" ticket. I hope we have another one for the sessions? I thought so?

comment:10 Changed 7 years ago by Elrond

Summary: Consider using itsdangerous for some things.Consider using itsdangerous for mail tokens.

#624 is about sessions.

comment:11 Changed 7 years ago by rodney757

Owner: set to rodney757
Status: acceptedin_progress

comment:12 Changed 7 years ago by rodney757

Owner: rodney757 deleted
Status: in_progressreview
Last edited 7 years ago by rodney757 (previous) (diff)

comment:13 Changed 7 years ago by rodney757

When merged can close #107 as well

comment:14 Changed 7 years ago by Christopher Allan Webber

Milestone: 0.4.1
Resolution: fixed
Status: reviewclosed

Top notch work, Rodney! Everything in this branch seems really well done.

I've merged this. Thanks for your hard work on it!

Note: See TracTickets for help on using tickets.