Re: [pylons-discuss] feedback on Supabase auth sample app for Pyramid

[Jonathan Vanasco]

Wow. This looks great. I wish I knew about it sooner.

Digging into the code, there was a PR to split things out and support JSON 
serialization – however there are no unit tests covering this or docs for 
it.  @Delta do you know of any public examples of this usage?  If so I'd be 
happy to play around with it and generate a PR for unit tests.

I often manually generate and read encrypted cookies, which can be a 
chore.  This would be incredibly useful to me in a few projects.

On Thursday, November 30, 2023 at 2:48:03 PM UTC-5 Delta Regeer wrote:

> Use 
> https://docs.pylonsproject.org/projects/pyramid-nacl-session/en/latest/usage.html
>
> It encrypts the session the is stored in the cookie with NACL. No longer 
> is the content if the cookie something that an attacker can read/do 
> anything with.
>
>
> On Nov 28, 2023, at 12:12, Scott Lawton  wrote:
>
> Some followup:
> - 
> https://docs.pylonsproject.org/projects/pyramid/en/latest/narr/sessions.html 
> has a big section in red: 'By default the SignedCookieSessionFactory() 
> 
>  implementation 
> contains the following security concerns:
>
> ... which seems to argue against session, but maybe doesn't apply to 
> access/refresh tokens? And/or maybe setting the cookie like we do isn't any 
> better?
>
> We also tried to follow 
> https://docs.pylonsproject.org/projects/pyramid/en/latest/whatsnew-2.0.html#upgrading-auth-20
>  
> ... but not sure we did so correctly. That's what we're looking for 
> feedback!
>
> Scott
>
> -- 
> You received this message because you are subscribed to the Google Groups 
> "pylons-discuss" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to pylons-discus...@googlegroups.com.
>
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/pylons-discuss/2dedd1e5-cffc-45c4-84b6-ebb142a68368n%40googlegroups.com
>  
> 
> .
>
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"pylons-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to pylons-discuss+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/pylons-discuss/b8039844-e54d-4b80-be42-ec56dca2e066n%40googlegroups.com.

Re: [pylons-discuss] feedback on Supabase auth sample app for Pyramid

[Delta Regeer]

Use 
https://docs.pylonsproject.org/projects/pyramid-nacl-session/en/latest/usage.html

It encrypts the session the is stored in the cookie with NACL. No longer is the 
content if the cookie something that an attacker can read/do anything with.


> On Nov 28, 2023, at 12:12, Scott Lawton  wrote:
> 
> Some followup:
> - 
> https://docs.pylonsproject.org/projects/pyramid/en/latest/narr/sessions.html 
> has a big section in red: 'By default the SignedCookieSessionFactory() 
> 
>  implementation contains the following security concerns:
> 
> ... which seems to argue against session, but maybe doesn't apply to 
> access/refresh tokens? And/or maybe setting the cookie like we do isn't any 
> better?
> 
> We also tried to follow 
> https://docs.pylonsproject.org/projects/pyramid/en/latest/whatsnew-2.0.html#upgrading-auth-20
>  ... but not sure we did so correctly. That's what we're looking for feedback!
> 
> Scott
> 
> -- 
> You received this message because you are subscribed to the Google Groups 
> "pylons-discuss" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to pylons-discuss+unsubscr...@googlegroups.com 
> .
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/pylons-discuss/2dedd1e5-cffc-45c4-84b6-ebb142a68368n%40googlegroups.com
>  
> .

-- 
You received this message because you are subscribed to the Google Groups 
"pylons-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to pylons-discuss+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/pylons-discuss/DDE10BC4-ED19-424D-B48A-8916FC0D585B%400x58.com.

Re: [pylons-discuss] feedback on Supabase auth sample app for Pyramid

[Jonathan Vanasco]

> Any suggestions for 1-3 simple examples? Ideally with only Python 
dependencies -- I'd rather not add Redis, MongoDB etc. since we already 
have Supabase.

Aside from beaker, no.  I maintain `pyramid_session_redis` and - as long as 
you disable redis administration - it is relatively insignificant on a 
server that has available memory.  Unless you have very high traffic and 
require more memory, running Redis with a 100MB limit is pretty 
insignificant.  

If you do use pyramid_beaker, i strongly suggest having it save to a 
dedicated disk partition so that it does not overrun your server, which can 
lead to downtime.

While there are memory backed options, there are two drawbacks for this:
* sessions do not persist across server or application restarts
* you can run into complications with forking servers

> Looks like there are enough docs available for us to proceed. Still, if 
anyone knows of a sample app that includes that + oauth, would be great to 
see. (I learn more from examples than from docs.)

I also main pyramid_oauthlib_lowlevel

 https://github.com/jvanasco/pyramid_oauthlib_lowlevel

The test suites have fully functional pyramid applications for oauth 1 and 
oauth 2 flows, each of which mimic how a consumer server and provider 
server will work with one another.




On Thursday, November 30, 2023 at 1:04:12 PM UTC-5 Scott Lawton wrote:

> Thanks for the link and the 'second' that it's still a practical solution; 
> I was a bit hesitant given that it's 10 years old: 0.8 (2013-06-28).
>
> Looks like there are enough docs available for us to proceed. Still, if 
> anyone knows of a sample app that includes that + oauth, would be great to 
> see. (I learn more from examples than from docs.)
>
> Scott
>

-- 
You received this message because you are subscribed to the Google Groups 
"pylons-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to pylons-discuss+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/pylons-discuss/6bdc092c-9cd4-465e-bc41-3ba36df3ffe4n%40googlegroups.com.

Re: [pylons-discuss] feedback on Supabase auth sample app for Pyramid

[Scott Lawton]

Thanks for the link and the 'second' that it's still a practical solution; 
I was a bit hesitant given that it's 10 years old: 0.8 (2013-06-28).

Looks like there are enough docs available for us to proceed. Still, if 
anyone knows of a sample app that includes that + oauth, would be great to 
see. (I learn more from examples than from docs.)

Scott

-- 
You received this message because you are subscribed to the Google Groups 
"pylons-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to pylons-discuss+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/pylons-discuss/4bb96f44-cb8c-47c5-9f68-efe410595f2bn%40googlegroups.com.

Re: [pylons-discuss] Display query and result on the same page

[Oberdan Santos]

Hi Mike. I tried many things, including beyond your tip, but I can't make 
any progress. I think it's something simple. Attached is my last attempt. 
If you can help I would appreciate it.

Em quinta-feira, 23 de novembro de 2023 às 18:26:37 UTC-3, Mike Orr 
escreveu:

> On Thu, Nov 23, 2023 at 11:50 AM Oberdan Santos  
> wrote:
> >
> > You should note in the subject statement that in addition to the query, 
> I have the problem of the result being published on another page.
> > query page code
> > # templates/pac_recepx.jinja2
> >
> > 
> > 
> > Consultar cadastro do 
> paciente
> > 
> > http://localhost:6543/queryx; method="GET">
> > Digite o CPF (11 números)
> >  required maxlength="11" value=''>
> >  type="submit">Consultar
> > 
> > 
> >
> > The result is going to...
> > action="http://localhost:6543/queryx
> >
> > How do I take this result to the same page as the query 
> (templates/pac_recepx.jinja2), that is, place it below the query?
>
> There are two approaches.
>
> SERVER-SIDE ONLY:
>
> Remove the form `action` attribute. The form will post back to the
> same view that contained the form. In the view, add an `if` stanza to
> distinguish whether there's form input or not:
>
> ```
> cpf = request.params.get("cpf", "") # User input, or "" if no input.
> error = "" # Validation error
> message, or None if no error.
> rows = None # Result rows, or None
> if no valid input, or [] if valid input but zero results.
> if cpf: # If value is not "" or None.
> if CPF_IS_VALID:
> rows = request.dbsession...
> else:
> error = "Input is invalid."
> return {"cpf": cpf, "error": error, "rows": rows}
> ```
>
> Then your template might always show the form, but only show the
> results section if there was input, and only show the results table if
> there was at least one result, and only show the error message if
> there was a user error. I use Mako templating so I'll write it that
> way.
>
> ```
> ## page.mako
> 
> % if error:
> ${error}
> %endif
> 
> 
>
> % if results is not None: # If there was valid user input.
> Results
> % if results: # If there was at least one result.
> 
> Header...
> % for r in results:
> ...
> % endfor
> % else: # Else there were zero results.
> No results.
> % endif
> ```
>
> CLIENT-SIDE ALTERNATIVE:
>
> Write Javascript to intercept the Submit click. Send an AJAX request
> to the server to get the results in a JSON array. Use Javascript to
> populate the results table. That's beyond the scope of this mailing
> list. In this case you'd have a view that processes the AJAX request
> and converts the rows list to JSON before returning it.
>

-- 
You received this message because you are subscribed to the Google Groups 
"pylons-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to pylons-discuss+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/pylons-discuss/05058659-a202-4b6b-b845-91514acc0169n%40googlegroups.com.
//templates/pac_recepx.jinja2   # arquivo principal de consulta

{% extends "basefull.jinja2" %}

{% block container %}




UF: Maranhão
REG_SAUDE: São 
Luis
MUN: São Luis
UBS: São 
Francisco


date = new Date();
year = date.getFullYear();
month = date.getMonth() + 1;
day = date.getDate();
document.getElementById("current_date").innerHTML = day + "/" + 
month + "/" + year;









Consultar cadastro do 
paciente

http://localhost:6543/queryx; method="GET" id="consultaForm">
Digite o CPF (11 números)

Consultar







{% for Paciente in pacientes %}

{{ Paciente.id }} {{ Paciente.name }} 
{{ Paciente.idade }} {{ Paciente.data_nascimento }} {{ 
Paciente.sexo }}
{{ Paciente.raca }} {{ Paciente.fone }} 
{{ Paciente.endereco }} {{ Paciente.cpf }} {{ 
Paciente.cns }}
edit
delete

{% endfor %}





function consultarCPF() {
var cpf = document.getElementById("cpf").value;
if (cpf !== "") {
// Realizar a requisição para buscar os pacientes com o CPF
$.ajax({
type: "GET",
url: "http://localhost:6543/queryx";, // Sua URL de consulta
data: { cpf: cpf },
success: function (data) {
// Atualizar a tabela de pacientes com o resultado da 
consulta
$('#pacientesTable tbody').empty(); // Limpar tabela
if (data.pacientes.length > 

Re: [pylons-discuss] feedback on Supabase auth sample app for Pyramid

[tonthon]

The following line can be added to a crontask to clean up old sessions :

find //beaker/sessions/ -type f -mtime +3 -print -exec rm {} \; 
> /dev/null 2>&1


Le 30/11/2023 à 17:31, Mike Orr a écrit :

A second for 'pyramid_beaker'. It doesn't get much attention nowadays
but Beaker still works and is getting updates. It has backends to
store sessions in files, Redis, SQLAlchemy, cookie-only, and others. I
have two production applications on it. One because one developer's
workstation doesn't have Redis, so she uses file-based sessions. The
other because it's both a traditional website and is also bundled into
Windows/Mac desktop applications (using Electron with an embedded
browser) so Redis isn't available there. I think the desktop mode uses
memory-based sessions because it's a single thread talking to it.

One thing to keep in mind, Beaker doesn't clean up abandoned session
files so they accumulate until manually purged.
'pyramid_session_redis' and 'pyramid_redis_sessions' have an option to
use Redis's auto-expire feature to automatically delete sessions that
haven't been updated for a while.

On Thu, Nov 30, 2023 at 5:13 AM tonthon  wrote:

pyramid_beaker is as far I know only python based (stores sessions on disk)

https://pypi.org/project/pyramid_beaker/

We use extensively for years now without any trouble.


Le 30/11/2023 à 13:14, Scott Lawton a écrit :

Thanks so much!


For this type of data, at a minimum, calls to request.response.set_cookie 
should contain `httponly=True` and `secure=True`; the app should also be under 
https only. If I understand how your system uses these credentials correctly, 
`samesite=strict` should also be added.

Makes sense. (Yes, we deploy sites behind https.)



Store in a Server-Side session.  There are many projects in the pyramid 
ecosystem for this.

Any suggestions for 1-3 simple examples? Ideally with only Python dependencies 
-- I'd rather not add Redis, MongoDB etc. since we already have Supabase.

Scott
--
You received this message because you are subscribed to the Google Groups 
"pylons-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
topylons-discuss+unsubscr...@googlegroups.com.
To view this discussion on the web 
visithttps://groups.google.com/d/msgid/pylons-discuss/383183b9-0506-4f01-9653-bca1f8781a7fn%40googlegroups.com.


--
You received this message because you are subscribed to the Google Groups 
"pylons-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
topylons-discuss+unsubscr...@googlegroups.com.
To view this discussion on the web 
visithttps://groups.google.com/d/msgid/pylons-discuss/006d2a5a-4b6e-4284-affe-5a0530087ea9%40gmail.com.





--
You received this message because you are subscribed to the Google Groups 
"pylons-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to pylons-discuss+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/pylons-discuss/a25cd2e0-be0e-4ecb-af65-3435b246e157%40gmail.com.

Re: [pylons-discuss] feedback on Supabase auth sample app for Pyramid

[Mike Orr]

A second for 'pyramid_beaker'. It doesn't get much attention nowadays
but Beaker still works and is getting updates. It has backends to
store sessions in files, Redis, SQLAlchemy, cookie-only, and others. I
have two production applications on it. One because one developer's
workstation doesn't have Redis, so she uses file-based sessions. The
other because it's both a traditional website and is also bundled into
Windows/Mac desktop applications (using Electron with an embedded
browser) so Redis isn't available there. I think the desktop mode uses
memory-based sessions because it's a single thread talking to it.

One thing to keep in mind, Beaker doesn't clean up abandoned session
files so they accumulate until manually purged.
'pyramid_session_redis' and 'pyramid_redis_sessions' have an option to
use Redis's auto-expire feature to automatically delete sessions that
haven't been updated for a while.

On Thu, Nov 30, 2023 at 5:13 AM tonthon  wrote:
>
> pyramid_beaker is as far I know only python based (stores sessions on disk)
>
> https://pypi.org/project/pyramid_beaker/
>
> We use extensively for years now without any trouble.
>
>
> Le 30/11/2023 à 13:14, Scott Lawton a écrit :
>
> Thanks so much!
>
> > For this type of data, at a minimum, calls to request.response.set_cookie 
> > should contain `httponly=True` and `secure=True`; the app should also be 
> > under https only. If I understand how your system uses these credentials 
> > correctly, `samesite=strict` should also be added.
>
> Makes sense. (Yes, we deploy sites behind https.)
>
>
> > Store in a Server-Side session.  There are many projects in the pyramid 
> > ecosystem for this.
>
> Any suggestions for 1-3 simple examples? Ideally with only Python 
> dependencies -- I'd rather not add Redis, MongoDB etc. since we already have 
> Supabase.
>
> Scott
> --
> You received this message because you are subscribed to the Google Groups 
> "pylons-discuss" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to pylons-discuss+unsubscr...@googlegroups.com.
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/pylons-discuss/383183b9-0506-4f01-9653-bca1f8781a7fn%40googlegroups.com.
>
>
> --
> You received this message because you are subscribed to the Google Groups 
> "pylons-discuss" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to pylons-discuss+unsubscr...@googlegroups.com.
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/pylons-discuss/006d2a5a-4b6e-4284-affe-5a0530087ea9%40gmail.com.



-- 
Mike Orr 

-- 
You received this message because you are subscribed to the Google Groups 
"pylons-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to pylons-discuss+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/pylons-discuss/CAH9f%3Dup9f5ZOTqEbAGA1jr1G76ZROmuUpB7b9Z-CY2_MWt_2xA%40mail.gmail.com.

Re: [pylons-discuss] feedback on Supabase auth sample app for Pyramid

[tonthon]

pyramid_beaker is as far I know only python based (stores sessions on disk)

https://pypi.org/project/pyramid_beaker/

We use extensively for years now without any trouble.


Le 30/11/2023 à 13:14, Scott Lawton a écrit :

Thanks so much!

> For this type of data, at a minimum, calls to 
request.response.set_cookie should contain `httponly=True` and 
`secure=True`; the app should also be under https only. If I 
understand how your system uses these credentials correctly, 
`samesite=strict` should also be added.


Makes sense. (Yes, we deploy sites behind https.)


> Store in a Server-Side session.  There are many projects in the 
pyramid ecosystem for this.


Any suggestions for 1-3 simple examples? Ideally with only Python 
dependencies -- I'd rather not add Redis, MongoDB etc. since we 
already have Supabase.


Scott
--
You received this message because you are subscribed to the Google 
Groups "pylons-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send 
an email to pylons-discuss+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/pylons-discuss/383183b9-0506-4f01-9653-bca1f8781a7fn%40googlegroups.com 
.


--
You received this message because you are subscribed to the Google Groups 
"pylons-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to pylons-discuss+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/pylons-discuss/006d2a5a-4b6e-4284-affe-5a0530087ea9%40gmail.com.

Re: [pylons-discuss] feedback on Supabase auth sample app for Pyramid

[Scott Lawton]

Thanks so much!

> For this type of data, at a minimum, calls to request.response.set_cookie 
should contain `httponly=True` and `secure=True`; the app should also be 
under https only. If I understand how your system uses these credentials 
correctly, `samesite=strict` should also be added.

Makes sense. (Yes, we deploy sites behind https.)


> Store in a Server-Side session.  There are many projects in the pyramid 
ecosystem for this.

Any suggestions for 1-3 simple examples? Ideally with only Python 
dependencies -- I'd rather not add Redis, MongoDB etc. since we already 
have Supabase.

Scott

-- 
You received this message because you are subscribed to the Google Groups 
"pylons-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to pylons-discuss+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/pylons-discuss/383183b9-0506-4f01-9653-bca1f8781a7fn%40googlegroups.com.