On 7/20/12 12:20 AM, Richard Jones wrote:
We implemented OAuth for you and crate.io. Why did you give up?
Perhaps "give up" is not the right description. I postponed until I can
figure it out, and went with an encrypted session cookie in the
meantime, hoping it would be safe enough and that users would go for it.
As for oauth, at least in my case, I'm looking for something that can be
implemented very simply e.g.:
- http://developer.github.com/v3/oauth/
(my implementation is done totally with requests)
IIUC, there are no docs for the PyPI implementation of oauth and it's
oauth1? (vs oauth2)? If it currently works similar to GitHub's
implementation, then I should take another look. If it doesn't, then we
should talk about the details.
Alex
Richard
On 20 July 2012 12:39, Alex Clark <[email protected]> wrote:
Hi,
Earlier in the year I announced the pythonpackages.com alpha[1] and there
was some helpful discussion in that thread about security. We are now in
beta and since then, I've
- totally abandoned the idea of using pypissh
- investigated using PyPI oauth[3], but gave up
- settled on saving users credentials in an encrypted session cookie[4]
While not ideal, I'm fairly happy with the fact that it works and is "secure
enough". However I'd very much appreciate some additional eyes on the
implementation. The (very simple) pyramid code is:
if 'submit' in request.POST:
username = request.POST['username']
password = request.POST['password']
cookieval = {'username': username, 'password': password}
request.session[config.COOKIE_PYPI] = cookieval
And the beta is available to anyone who signs up here:
http://pythonpackages.com/signup, then signs in with their GitHub account.
You can then go here:
- https://pythonpackages.com/manage/account/pypi
and fill in your PyPI credentials (or bogus credentials for testing) then
verify you cannot easily extract the account info from the beaker.session.id
cookie
Thanks for any feedback,
Alex
[1] http://mail.python.org/pipermail/catalog-sig/2012-January/004152.html
[2] http://pypi.python.org/pypi/pypissh/1.4
[3] https://bitbucket.org/loewis/pypi/changeset/b034fda5bef9
[4] http://beaker.readthedocs.org/en/latest/sessions.html#encryption
--
Alex Clark · http://pythonpackages.com/ONE_CLICK_RELEASE
_______________________________________________
Catalog-SIG mailing list
[email protected]
http://mail.python.org/mailman/listinfo/catalog-sig
--
Alex Clark · http://pythonpackages.com/ONE_CLICK_RELEASE
_______________________________________________
Catalog-SIG mailing list
[email protected]
http://mail.python.org/mailman/listinfo/catalog-sig
