do you know what a jwt token is instead of just blindly bashing a solution? "this" adds a table potentially growing towards infinite (to maintain), two queries, creates the session, for each and every request: all of which is unnecessary. It's web2py's proprietary, needs to be managed within a grid (so within the app), it's user-managed, hasn't integration with ANY other language, isn't extentable, doesn't have a refresh API, etc.
with jwt there's a clean API on how to let them expire, another to refresh them, how to store an additional payload, is extendable, has integration with multiple languages, it's documented, tested, engineered and pushed by people far more experienced in auth APIs. Reinventing the wheel is cool, until it's not. You send a request for a token with username and password, you get a string back. Those are signed tokens, so unless you discover the secret, are unusable. They're as secure as signed urls. On Thursday, July 9, 2015 at 12:25:54 AM UTC+2, Derek wrote: > > The only difference between this and jwt (saying jwt tokens is like saying > atm machine, it's redundant) is that jwt can be generated client side > (provided the client knows the secret) and thus would be less secure than > this. > > > On Wednesday, July 8, 2015 at 1:16:31 PM UTC-7, Niphlod wrote: >> >> summarizing, IMHO web2py should probably implement JWT tokens >> <http://jwt.io/> instead of this custom one to have it called properly >> "API tokens" >> > -- Resources: - http://web2py.com - http://web2py.com/book (Documentation) - http://github.com/web2py/web2py (Source code) - https://code.google.com/p/web2py/issues/list (Report Issues) --- You received this message because you are subscribed to the Google Groups "web2py-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to web2py+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
