[Repoze-dev] [issue155] Support encoding of cookies on repoze.who cookie plugin
New submission from Nuno Teixeira tei...@gmail.com:
I think that encoding cookies data could be useful. My usecase is related with
SQLAlchemy that avoid the use of non-unicode strings on queries.
--
files: r9728.diff
messages: 426
nosy: nteixeira
priority: feature
status: unread
title: Support encoding of cookies on repoze.who cookie plugin
topic: repoze.who
__
Repoze Bugs b...@bugs.repoze.org
http://bugs.repoze.org/issue155
__Index: repoze/who/plugins/cookie.py
===
--- repoze/who/plugins/cookie.py (revision 9728)
+++ repoze/who/plugins/cookie.py (working copy)
@@ -10,9 +10,10 @@
implements(IIdentifier)
-def __init__(self, cookie_name, cookie_path='/'):
+def __init__(self, cookie_name, cookie_path='/', charset=None):
self.cookie_name = cookie_name
self.cookie_path = cookie_path
+self.charset = charset
# IIdentifier
def identify(self, environ):
@@ -29,7 +30,11 @@
try:
login, password = auth.split(':', 1)
-return {'login':login, 'password':password}
+if self.charset is None:
+return {'login':login, 'password':password}
+else:
+return {'login': login.decode(self.charset),
+'password': password.decode(self.charset)}
except ValueError: # not enough values to unpack
return None
@@ -44,6 +49,8 @@
def remember(self, environ, identity):
cookie_value = '%(login)s:%(password)s' % identity
cookie_value = cookie_value.encode('base64').rstrip()
+if self.charset:
+cookie_value = cookie_value.encode(self.charset)
cookies = get_cookies(environ)
existing = cookies.get(self.cookie_name)
value = getattr(existing, 'value', None)
@@ -57,7 +64,8 @@
return '%s %s' % (self.__class__.__name__,
id(self)) #pragma NO COVERAGE
-def make_plugin(cookie_name='repoze.who.plugins.cookie', cookie_path='/'):
-plugin = InsecureCookiePlugin(cookie_name, cookie_path)
+def make_plugin(cookie_name='repoze.who.plugins.cookie', cookie_path='/',
+charset=None):
+plugin = InsecureCookiePlugin(cookie_name, cookie_path, charset)
return plugin
___
Repoze-dev mailing list
Repoze-dev@lists.repoze.org
http://lists.repoze.org/listinfo/repoze-dev
[Repoze-dev] [issue155] Support encoding of cookies on repoze.who cookie plugin
Nuno Teixeira tei...@gmail.com added the comment:
Added tests for full coverage
__
Repoze Bugs b...@bugs.repoze.org
http://bugs.repoze.org/issue155
__Index: repoze/who/plugins/cookie.py
===
--- repoze/who/plugins/cookie.py (revision 9728)
+++ repoze/who/plugins/cookie.py (working copy)
@@ -10,9 +10,10 @@
implements(IIdentifier)
-def __init__(self, cookie_name, cookie_path='/'):
+def __init__(self, cookie_name, cookie_path='/', charset=None):
self.cookie_name = cookie_name
self.cookie_path = cookie_path
+self.charset = charset
# IIdentifier
def identify(self, environ):
@@ -29,7 +30,11 @@
try:
login, password = auth.split(':', 1)
-return {'login':login, 'password':password}
+if self.charset is None:
+return {'login':login, 'password':password}
+else:
+return {'login': login.decode(self.charset),
+'password': password.decode(self.charset)}
except ValueError: # not enough values to unpack
return None
@@ -44,6 +49,8 @@
def remember(self, environ, identity):
cookie_value = '%(login)s:%(password)s' % identity
cookie_value = cookie_value.encode('base64').rstrip()
+if self.charset:
+cookie_value = cookie_value.encode(self.charset)
cookies = get_cookies(environ)
existing = cookies.get(self.cookie_name)
value = getattr(existing, 'value', None)
@@ -57,7 +64,8 @@
return '%s %s' % (self.__class__.__name__,
id(self)) #pragma NO COVERAGE
-def make_plugin(cookie_name='repoze.who.plugins.cookie', cookie_path='/'):
-plugin = InsecureCookiePlugin(cookie_name, cookie_path)
+def make_plugin(cookie_name='repoze.who.plugins.cookie', cookie_path='/',
+charset=None):
+plugin = InsecureCookiePlugin(cookie_name, cookie_path, charset)
return plugin
Index: repoze/who/plugins/tests/test_cookie.py
===
--- repoze/who/plugins/tests/test_cookie.py (revision 9728)
+++ repoze/who/plugins/tests/test_cookie.py (working copy)
@@ -49,6 +49,13 @@
result = plugin.identify(environ)
self.assertEqual(result, {'login':'foo', 'password':'password'})
+def test_identify_encoded(self):
+plugin = self._makeOne('oatmeal', charset='utf-8')
+auth = 'foo:password'.encode('base64').rstrip()
+environ = self._makeEnviron({'HTTP_COOKIE':'oatmeal=%s;' % auth})
+result = plugin.identify(environ)
+self.assertEqual(result, {'login':u'foo', 'password':u'password'})
+
def test_remember_creds_same(self):
plugin = self._makeOne('oatmeal')
creds = {'login':'foo', 'password':'password'}
@@ -68,6 +75,15 @@
expected = 'oatmeal=%s; Path=/;' % creds_auth
self.assertEqual(result, [('Set-Cookie', expected)])
+def test_remember_encoded(self):
+plugin = self._makeOne('oatmeal', charset='utf-8')
+creds = {'login':u'foo', 'password':u'password'}
+auth = 'foo:password'.encode('base64').rstrip()
+auth = 'oatmeal=%s;' % auth
+environ = self._makeEnviron({'HTTP_COOKIE':auth})
+result = plugin.remember(environ, creds)
+self.assertEqual(result, None)
+
def test_factory(self):
from repoze.who.plugins.cookie import make_plugin
plugin = make_plugin('foo')
___
Repoze-dev mailing list
Repoze-dev@lists.repoze.org
http://lists.repoze.org/listinfo/repoze-dev
Re: [Repoze-dev] [issue149] Fix SAWarning messages when using repoze.who.plugins.sa plugins
Olá Gustavo,
Thanks for your fast reply and your suggestions! ;)
That occurs when using repoze.who.plugins.cookie.InsecureCookiePlugin as
an identifier.
As I can see cookies are stored as ASCII strings so
cookie.value.decode('base64') (#1 @ line 25) returns an ASCII string
which is passed to authenticator's authenticate module.
That's why SA is complaining about getting an ASCII string as username.
Probably I'll override cookie identify method.
#1 - http://svn.repoze.org/repoze.who/trunk/repoze/who/plugins/cookie.py
Cheers,
Nuno
On 06/02/2010 02:56 PM, Gustavo Narea wrote:
Gustavo Naream...@gustavonarea.net added the comment:
The SQLAlchemy plugin is not tied to ASCII or Unicode, and you can use it
without
getting any warning as long as you pass the username/password properly
encoded.
I cannot apply that patch because some people use ASCII, and also the right
place to
fix this is the repoze.who identifier plugin that you are using, which is not
giving
repoze.who the username/password properly.
Are you using a built-in repoze.who identifier plugin? Or is it maintained by
a 3rd party?
If it's a homegrown identifier, you may want to have a look at the code for
repoze.who-
friendlyform which gives repoze.who the credentials with the right charset:
http://svn.repoze.org/whoplugins/whofriendlyforms/trunk/repoze/who/plugins/friendlyfor
m.py
Please use the mailing list if you need help to fix the identifier:
http://lists.repoze.org/listinfo/repoze-dev
Cheers.
--
assignedto: - Gustavo
nosy: +Gustavo
priority: bug - wish
status: unread - resolved
topic: +repoze.who
__
Repoze Bugsb...@bugs.repoze.org
http://bugs.repoze.org/issue149
__
___
Repoze-dev mailing list
Repoze-dev@lists.repoze.org
http://lists.repoze.org/listinfo/repoze-dev
___
Repoze-dev mailing list
Repoze-dev@lists.repoze.org
http://lists.repoze.org/listinfo/repoze-dev
[Repoze-dev] [issue144] Small typo on Unit and Integration Testing chapter
New submission from Nuno Teixeira tei...@gmail.com: Index: docs/narr/unittesting.rst === --- docs/narr/unittesting.rst (revision 9323) +++ docs/narr/unittesting.rst (working copy) @@ -115,7 +115,7 @@ of a :term:`Configurator`, including its ``begin`` and ``end`` methods. -If you also want to make :func:`repoze.bfg.get_current_registry` +If you also want to make :func:`repoze.bfg.get_current_request` return something other than ``None`` during the course of a single test, you can pass a :term:`request` object into the -- messages: 403 nosy: nteixeira priority: bug status: unread title: Small typo on Unit and Integration Testing chapter topic: bfg book __ Repoze Bugs b...@bugs.repoze.org http://bugs.repoze.org/issue144 __ ___ Repoze-dev mailing list Repoze-dev@lists.repoze.org http://lists.repoze.org/listinfo/repoze-dev
Re: [Repoze-dev] How to handle failed logins?
Hi Timmy! Timmy Chan wrote: my current workflow for FriendlyFormPlugin is user goes to page, needs permission, gets 401 repoze.who sends it to login_form_url user inputs data user gets sends to post_login_url, gets 401 gets sent to login_form_url again is this a good method? can i pass along the username somewhere? I think that post_login_url shouldn't return 401. This view should be public. There you could check existence of repoze.who.identity environ var and do some HTTP redirect (calling webob.exc.HTTPFound method) based on it: calling login_form (including username on the query string) in case of failure or redirect to another page on success. Good luck! Nuno On Sat, Apr 17, 2010 at 7:46 PM, Timmy Chan timmy.cha...@gmail.com mailto:timmy.cha...@gmail.com wrote: im using FriendlyFormPlugin, and i would like to retrieve the username that was input as part of the request.params, but its no longer there as part of the post_login_url's controller's page. this way i can set the default for username on the signin if the password is incorrect. thanks ___ Repoze-dev mailing list Repoze-dev@lists.repoze.org http://lists.repoze.org/listinfo/repoze-dev
