On 13.05.2011, at 07:33, Paul McMillan wrote:

> Baseconv is a clever bit of work. It should probably be using our full
> base64 charset. We could also shave some digits in the time-limited
> output there by subtracting from a more recent fixed value than the
> unix epoch, the way the password reset token code does.

The TimeStampSigner requires the seconds to correct determine whether the
signature is still valid, so I'm not sure if that's a good idea. If you
have an idea to have both thing, I'd appreciate any help.

> I'm not entirely happy with the way the salting works (or perhaps I've
> misunderstood it). It seems more appropriate to generate the salt (let
> the user specify the length) and store it with the string, the same
> way you do salted passwords. The way the interface is currently
> written, nobody will ever use a salt, or they'll try to use a static
> string as a salt (the existing docs get it wrong in exactly this way),
> which largely defeats the purpose. It would make more sense to be able
> to say "I want salt" the way you say "I want a timestamp".

Yeah, I agree the salt argument for the sign and unsign methods seems
a bit extensive, which is why I updated the code [1] to only have a
salt argument for initialization of the Signer class. Additionally it'll
generate a random salt if no salt is passed to __init__.

> Also, regarding the note about not echoing back the expected value
> even during debug (line 156 of signing.py):
> 
> Do it the same way as it is with the auth tokens, compute the expected
> value inline without assigning it to a variable.
> 
> http://code.djangoproject.com/browser/django/trunk/django/contrib/auth/tokens.py#L34

Yeah, good point, I updated the code for that, too.

Jannis

1: http://code.djangoproject.com/attachment/ticket/12417/ticket12417-v6.diff

-- 
You received this message because you are subscribed to the Google Groups 
"Django developers" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to 
[email protected].
For more options, visit this group at 
http://groups.google.com/group/django-developers?hl=en.

Reply via email to