[Repoze-dev] [issue155] Support encoding of cookies on repoze.who cookie plugin
New submission from Nuno Teixeira tei...@gmail.com: I think that encoding cookies data could be useful. My usecase is related with SQLAlchemy that avoid the use of non-unicode strings on queries. -- files: r9728.diff messages: 426 nosy: nteixeira priority: feature status: unread title: Support encoding of cookies on repoze.who cookie plugin topic: repoze.who __ Repoze Bugs b...@bugs.repoze.org http://bugs.repoze.org/issue155 __Index: repoze/who/plugins/cookie.py === --- repoze/who/plugins/cookie.py (revision 9728) +++ repoze/who/plugins/cookie.py (working copy) @@ -10,9 +10,10 @@ implements(IIdentifier) -def __init__(self, cookie_name, cookie_path='/'): +def __init__(self, cookie_name, cookie_path='/', charset=None): self.cookie_name = cookie_name self.cookie_path = cookie_path +self.charset = charset # IIdentifier def identify(self, environ): @@ -29,7 +30,11 @@ try: login, password = auth.split(':', 1) -return {'login':login, 'password':password} +if self.charset is None: +return {'login':login, 'password':password} +else: +return {'login': login.decode(self.charset), +'password': password.decode(self.charset)} except ValueError: # not enough values to unpack return None @@ -44,6 +49,8 @@ def remember(self, environ, identity): cookie_value = '%(login)s:%(password)s' % identity cookie_value = cookie_value.encode('base64').rstrip() +if self.charset: +cookie_value = cookie_value.encode(self.charset) cookies = get_cookies(environ) existing = cookies.get(self.cookie_name) value = getattr(existing, 'value', None) @@ -57,7 +64,8 @@ return '%s %s' % (self.__class__.__name__, id(self)) #pragma NO COVERAGE -def make_plugin(cookie_name='repoze.who.plugins.cookie', cookie_path='/'): -plugin = InsecureCookiePlugin(cookie_name, cookie_path) +def make_plugin(cookie_name='repoze.who.plugins.cookie', cookie_path='/', +charset=None): +plugin = InsecureCookiePlugin(cookie_name, cookie_path, charset) return plugin ___ Repoze-dev mailing list Repoze-dev@lists.repoze.org http://lists.repoze.org/listinfo/repoze-dev
[Repoze-dev] [issue155] Support encoding of cookies on repoze.who cookie plugin
Nuno Teixeira tei...@gmail.com added the comment: Added tests for full coverage __ Repoze Bugs b...@bugs.repoze.org http://bugs.repoze.org/issue155 __Index: repoze/who/plugins/cookie.py === --- repoze/who/plugins/cookie.py (revision 9728) +++ repoze/who/plugins/cookie.py (working copy) @@ -10,9 +10,10 @@ implements(IIdentifier) -def __init__(self, cookie_name, cookie_path='/'): +def __init__(self, cookie_name, cookie_path='/', charset=None): self.cookie_name = cookie_name self.cookie_path = cookie_path +self.charset = charset # IIdentifier def identify(self, environ): @@ -29,7 +30,11 @@ try: login, password = auth.split(':', 1) -return {'login':login, 'password':password} +if self.charset is None: +return {'login':login, 'password':password} +else: +return {'login': login.decode(self.charset), +'password': password.decode(self.charset)} except ValueError: # not enough values to unpack return None @@ -44,6 +49,8 @@ def remember(self, environ, identity): cookie_value = '%(login)s:%(password)s' % identity cookie_value = cookie_value.encode('base64').rstrip() +if self.charset: +cookie_value = cookie_value.encode(self.charset) cookies = get_cookies(environ) existing = cookies.get(self.cookie_name) value = getattr(existing, 'value', None) @@ -57,7 +64,8 @@ return '%s %s' % (self.__class__.__name__, id(self)) #pragma NO COVERAGE -def make_plugin(cookie_name='repoze.who.plugins.cookie', cookie_path='/'): -plugin = InsecureCookiePlugin(cookie_name, cookie_path) +def make_plugin(cookie_name='repoze.who.plugins.cookie', cookie_path='/', +charset=None): +plugin = InsecureCookiePlugin(cookie_name, cookie_path, charset) return plugin Index: repoze/who/plugins/tests/test_cookie.py === --- repoze/who/plugins/tests/test_cookie.py (revision 9728) +++ repoze/who/plugins/tests/test_cookie.py (working copy) @@ -49,6 +49,13 @@ result = plugin.identify(environ) self.assertEqual(result, {'login':'foo', 'password':'password'}) +def test_identify_encoded(self): +plugin = self._makeOne('oatmeal', charset='utf-8') +auth = 'foo:password'.encode('base64').rstrip() +environ = self._makeEnviron({'HTTP_COOKIE':'oatmeal=%s;' % auth}) +result = plugin.identify(environ) +self.assertEqual(result, {'login':u'foo', 'password':u'password'}) + def test_remember_creds_same(self): plugin = self._makeOne('oatmeal') creds = {'login':'foo', 'password':'password'} @@ -68,6 +75,15 @@ expected = 'oatmeal=%s; Path=/;' % creds_auth self.assertEqual(result, [('Set-Cookie', expected)]) +def test_remember_encoded(self): +plugin = self._makeOne('oatmeal', charset='utf-8') +creds = {'login':u'foo', 'password':u'password'} +auth = 'foo:password'.encode('base64').rstrip() +auth = 'oatmeal=%s;' % auth +environ = self._makeEnviron({'HTTP_COOKIE':auth}) +result = plugin.remember(environ, creds) +self.assertEqual(result, None) + def test_factory(self): from repoze.who.plugins.cookie import make_plugin plugin = make_plugin('foo') ___ Repoze-dev mailing list Repoze-dev@lists.repoze.org http://lists.repoze.org/listinfo/repoze-dev
Re: [Repoze-dev] [issue149] Fix SAWarning messages when using repoze.who.plugins.sa plugins
Olá Gustavo, Thanks for your fast reply and your suggestions! ;) That occurs when using repoze.who.plugins.cookie.InsecureCookiePlugin as an identifier. As I can see cookies are stored as ASCII strings so cookie.value.decode('base64') (#1 @ line 25) returns an ASCII string which is passed to authenticator's authenticate module. That's why SA is complaining about getting an ASCII string as username. Probably I'll override cookie identify method. #1 - http://svn.repoze.org/repoze.who/trunk/repoze/who/plugins/cookie.py Cheers, Nuno On 06/02/2010 02:56 PM, Gustavo Narea wrote: Gustavo Naream...@gustavonarea.net added the comment: The SQLAlchemy plugin is not tied to ASCII or Unicode, and you can use it without getting any warning as long as you pass the username/password properly encoded. I cannot apply that patch because some people use ASCII, and also the right place to fix this is the repoze.who identifier plugin that you are using, which is not giving repoze.who the username/password properly. Are you using a built-in repoze.who identifier plugin? Or is it maintained by a 3rd party? If it's a homegrown identifier, you may want to have a look at the code for repoze.who- friendlyform which gives repoze.who the credentials with the right charset: http://svn.repoze.org/whoplugins/whofriendlyforms/trunk/repoze/who/plugins/friendlyfor m.py Please use the mailing list if you need help to fix the identifier: http://lists.repoze.org/listinfo/repoze-dev Cheers. -- assignedto: - Gustavo nosy: +Gustavo priority: bug - wish status: unread - resolved topic: +repoze.who __ Repoze Bugsb...@bugs.repoze.org http://bugs.repoze.org/issue149 __ ___ Repoze-dev mailing list Repoze-dev@lists.repoze.org http://lists.repoze.org/listinfo/repoze-dev ___ Repoze-dev mailing list Repoze-dev@lists.repoze.org http://lists.repoze.org/listinfo/repoze-dev
[Repoze-dev] [issue144] Small typo on Unit and Integration Testing chapter
New submission from Nuno Teixeira tei...@gmail.com: Index: docs/narr/unittesting.rst === --- docs/narr/unittesting.rst (revision 9323) +++ docs/narr/unittesting.rst (working copy) @@ -115,7 +115,7 @@ of a :term:`Configurator`, including its ``begin`` and ``end`` methods. -If you also want to make :func:`repoze.bfg.get_current_registry` +If you also want to make :func:`repoze.bfg.get_current_request` return something other than ``None`` during the course of a single test, you can pass a :term:`request` object into the -- messages: 403 nosy: nteixeira priority: bug status: unread title: Small typo on Unit and Integration Testing chapter topic: bfg book __ Repoze Bugs b...@bugs.repoze.org http://bugs.repoze.org/issue144 __ ___ Repoze-dev mailing list Repoze-dev@lists.repoze.org http://lists.repoze.org/listinfo/repoze-dev
Re: [Repoze-dev] How to handle failed logins?
Hi Timmy! Timmy Chan wrote: my current workflow for FriendlyFormPlugin is user goes to page, needs permission, gets 401 repoze.who sends it to login_form_url user inputs data user gets sends to post_login_url, gets 401 gets sent to login_form_url again is this a good method? can i pass along the username somewhere? I think that post_login_url shouldn't return 401. This view should be public. There you could check existence of repoze.who.identity environ var and do some HTTP redirect (calling webob.exc.HTTPFound method) based on it: calling login_form (including username on the query string) in case of failure or redirect to another page on success. Good luck! Nuno On Sat, Apr 17, 2010 at 7:46 PM, Timmy Chan timmy.cha...@gmail.com mailto:timmy.cha...@gmail.com wrote: im using FriendlyFormPlugin, and i would like to retrieve the username that was input as part of the request.params, but its no longer there as part of the post_login_url's controller's page. this way i can set the default for username on the signin if the password is incorrect. thanks ___ Repoze-dev mailing list Repoze-dev@lists.repoze.org http://lists.repoze.org/listinfo/repoze-dev