Access Tokens in the query string seem insecure to me since they persist in server log files...
On 17.07.2015 07:55, Eduardo Dobay wrote: > Hello all! I've been thinking of a way I could create an application-wide > handler that would authenticate a user when a > token is present in the query string (...?token=XXX). I ended up with two > approaches and would like to know if either of > them is preferred in Pyramid, or if there is any problem with the solutions I > came up with. So here goes (at the end > there's a link to a demonstration project I uploaded to Github): > > 1. Authentication via request handler and redirect > > Seems like the shortest code: a request handler checks for the `token` GET > parameter and, having found it, pops it and > emits a redirect to the same URL with that parameter removed, also saving the > login cookie with `remember`. Seems good > and simple, but an additional request is made due to the redirect. > <https://github.com/edudobay/pyramid-auth-example/tree/9c3539406edf84ecda9585b4c19f4d38401eec44#authentication-via-custom-policy> > 2. Authentication via custom policy > > To avoid this extra request, I ended up subclassing the default > AuthTktAuthenticationPolicy and adding extra > functionality that checks for the `token` parameter. In this check I add a > callback that will use `remember` to include > the necessary headers in the response. I needed to add a new field to the > Request object — and I don't know if this is a > good practice — to save the username (read from the token) allowing me to pop > the `token` from the GET dictionary — > otherwise the callback would be re-added every time the property is read. > > Concerning this added field, I found this example of @reify while searching > through the discussion list, but not sure it > suits my needs, or even if it does any improvement in my case... > http://plope.com/static/pyramid_cookbook/authentication.html > > --- > The demonstration: > https://github.com/edudobay/pyramid-auth-example/tree/9c3539406edf84ecda9585b4c19f4d38401eec44 > --- > > Thanks so much! > > -- > You received this message because you are subscribed to the Google Groups > "pylons-discuss" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to > [email protected] > <mailto:[email protected]>. > To post to this group, send email to [email protected] > <mailto:[email protected]>. > Visit this group at http://groups.google.com/group/pylons-discuss. > For more options, visit https://groups.google.com/d/optout. -- You received this message because you are subscribed to the Google Groups "pylons-discuss" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/pylons-discuss. For more options, visit https://groups.google.com/d/optout.
