Hi,
Earlier in the year I announced the pythonpackages.com alpha[1] and
there was some helpful discussion in that thread about security. We are
now in beta and since then, I've
- totally abandoned the idea of using pypissh
- investigated using PyPI oauth[3], but gave up
- settled on saving users credentials in an encrypted session cookie[4]
While not ideal, I'm fairly happy with the fact that it works and is
"secure enough". However I'd very much appreciate some additional eyes
on the implementation. The (very simple) pyramid code is:
if 'submit' in request.POST:
username = request.POST['username']
password = request.POST['password']
cookieval = {'username': username, 'password': password}
request.session[config.COOKIE_PYPI] = cookieval
And the beta is available to anyone who signs up here:
http://pythonpackages.com/signup, then signs in with their GitHub
account. You can then go here:
- https://pythonpackages.com/manage/account/pypi
and fill in your PyPI credentials (or bogus credentials for testing)
then verify you cannot easily extract the account info from the
beaker.session.id cookie
Thanks for any feedback,
Alex
[1] http://mail.python.org/pipermail/catalog-sig/2012-January/004152.html
[2] http://pypi.python.org/pypi/pypissh/1.4
[3] https://bitbucket.org/loewis/pypi/changeset/b034fda5bef9
[4] http://beaker.readthedocs.org/en/latest/sessions.html#encryption
--
Alex Clark ยท http://pythonpackages.com/ONE_CLICK_RELEASE
_______________________________________________
Catalog-SIG mailing list
Catalog-SIG@python.org
http://mail.python.org/mailman/listinfo/catalog-sig
