I think we should support jwt. Niphlod. Can you provide an implementation? On Thursday, 9 July 2015 01:16:43 UTC-5, Niphlod wrote: > > do you know what a jwt token is instead of just blindly bashing a solution? > "this" adds a table potentially growing towards infinite (to maintain), > two queries, creates the session, for each and every request: all of which > is unnecessary. > It's web2py's proprietary, needs to be managed within a grid (so within > the app), it's user-managed, hasn't integration with ANY other language, > isn't extentable, doesn't have a refresh API, etc. > > with jwt there's a clean API on how to let them expire, another to refresh > them, how to store an additional payload, is extendable, has integration > with multiple languages, it's documented, tested, engineered and pushed by > people far more experienced in auth APIs. Reinventing the wheel is cool, > until it's not. > You send a request for a token with username and password, you get a > string back. Those are signed tokens, so unless you discover the secret, > are unusable. > They're as secure as signed urls. > > > On Thursday, July 9, 2015 at 12:25:54 AM UTC+2, Derek wrote: >> >> The only difference between this and jwt (saying jwt tokens is like >> saying atm machine, it's redundant) is that jwt can be generated client >> side (provided the client knows the secret) and thus would be less secure >> than this. >> >> >> On Wednesday, July 8, 2015 at 1:16:31 PM UTC-7, Niphlod wrote: >>> >>> summarizing, IMHO web2py should probably implement JWT tokens >>> <http://jwt.io/> instead of this custom one to have it called properly >>> "API tokens" >>> >>
-- Resources: - http://web2py.com - http://web2py.com/book (Documentation) - http://github.com/web2py/web2py (Source code) - https://code.google.com/p/web2py/issues/list (Report Issues) --- You received this message because you are subscribed to the Google Groups "web2py-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to web2py+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.