On 13.05.2011, at 07:33, Paul McMillan wrote: > Baseconv is a clever bit of work. It should probably be using our full > base64 charset. We could also shave some digits in the time-limited > output there by subtracting from a more recent fixed value than the > unix epoch, the way the password reset token code does.
The TimeStampSigner requires the seconds to correct determine whether the signature is still valid, so I'm not sure if that's a good idea. If you have an idea to have both thing, I'd appreciate any help. > I'm not entirely happy with the way the salting works (or perhaps I've > misunderstood it). It seems more appropriate to generate the salt (let > the user specify the length) and store it with the string, the same > way you do salted passwords. The way the interface is currently > written, nobody will ever use a salt, or they'll try to use a static > string as a salt (the existing docs get it wrong in exactly this way), > which largely defeats the purpose. It would make more sense to be able > to say "I want salt" the way you say "I want a timestamp". Yeah, I agree the salt argument for the sign and unsign methods seems a bit extensive, which is why I updated the code [1] to only have a salt argument for initialization of the Signer class. Additionally it'll generate a random salt if no salt is passed to __init__. > Also, regarding the note about not echoing back the expected value > even during debug (line 156 of signing.py): > > Do it the same way as it is with the auth tokens, compute the expected > value inline without assigning it to a variable. > > http://code.djangoproject.com/browser/django/trunk/django/contrib/auth/tokens.py#L34 Yeah, good point, I updated the code for that, too. Jannis 1: http://code.djangoproject.com/attachment/ticket/12417/ticket12417-v6.diff -- You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/django-developers?hl=en.
