Opened 11 years ago

Closed 11 years ago

#624 closed enhancement (fixed)

Consider using itsdangerous for mail tokens.

Reported by: Elrond Owned by:
Priority: minor Milestone: 0.5.0
Component: programming Keywords: bitesized
Cc: Christopher Allan Webber Parent Tickets:


itsdangerous is an interesting package to use crypto to stop us using local storage for things.

There are two major use cases:

  1. For verification tokens in the emails.
  2. For sessions.

the tokens are quite easy. I have a "proof of concept" branch at elrond/itsdangerous. The sessions aren't too complex either, but need some more thinking and some decisions.

We need to make up our mind: Do we want this?

Note: #580 might be related, because we are considering to drop beaker.

Change History (14)

comment:1 by Elrond, 11 years ago

Okay, some notes on my branch:

I have stopped working on it for now.
If someone wants to continue on this:

  • Need to implement this also for the forgot password thing.
  • Need to drop all the unneeded columns from the db
  • Need harder permissions on the secrets file.
  • Cleanup expiration times
  • Make sure the testsuite works.

All of this is probably quite easy, so if you want to consider it, talk to me.

Last edited 11 years ago by Elrond (previous) (diff)

comment:2 by Elrond, 11 years ago

Keywords: review added
Owner: set to Christopher Allan Webber
Status: newassigned

Okay, I have reworked my branch (rebased, force updated).

It currently only contains the basic infrastructure for itsdangerous.

This is needed for #668, so please review for merging.

Please do not close after merging, because I still have the itsdangerous based email tokens in a local branch and we likely want those too or should discuss that.

comment:3 by Christopher Allan Webber, 11 years ago

Owner: changed from Christopher Allan Webber to Elrond

So, the elrond + bretts itsdangerous main branch has been merged. I'm passing this back to Elrond; I think the email tokens stuff is next to get this ticket wrapped up.

comment:4 by Christopher Allan Webber, 11 years ago

Keywords: review removed

Removing review keyword for now.

comment:5 by Elrond, 11 years ago

Keywords: bitesized added
Milestone: 0.4.0
Owner: Elrond removed
Priority: majorminor

I have a local, quick and dirty implementation of the email tokens.

If someone (hey, this is quite easy, maybe bitesized?) wants to improve my work (I think, I posted some notes above) and port this for forget password tokens, ping me and I'll post my branch somewhere public (and nicely rebased).

I'm tagging this bitesized, because we could need some bitesized tasks currently.

comment:6 by bukosabino, 11 years ago

itsdangerous is worked for verifications tokens in emails (register and forgot password), without saving the token in user.verification_key, user.fp_verification_key and user.fp_token_expire fields.

I need to debate with Elrond how implements itsdangerous in sessions.

comment:7 by Christopher Allan Webber, 11 years ago

Status: assignedaccepted

We're using this for sessions, but I guess not verification tokens? Should that be its own ticket? Should this be closed out?

comment:8 by Elrond, 11 years ago

Hi bukosabino,

sessions are done by now!

Where's your work on forget password, etc?

comment:9 by Elrond, 11 years ago

Hi Chris,

I think, this ticket has become the "itsdangerous for mails" ticket. I hope we have another one for the sessions? I thought so?

comment:10 by Elrond, 11 years ago

Summary: Consider using itsdangerous for some things.Consider using itsdangerous for mail tokens.

#624 is about sessions.

comment:11 by rodney757, 11 years ago

Owner: set to rodney757
Status: acceptedin_progress

comment:12 by rodney757, 11 years ago

Owner: rodney757 removed
Status: in_progressreview
Last edited 11 years ago by rodney757 (previous) (diff)

comment:13 by rodney757, 11 years ago

When merged can close #107 as well

comment:14 by Christopher Allan Webber, 11 years ago

Milestone: 0.4.1
Resolution: fixed
Status: reviewclosed

Top notch work, Rodney! Everything in this branch seems really well done.

I've merged this. Thanks for your hard work on it!

Note: See TracTickets for help on using tickets.