archive/pillar
0
0
Fork 0
Code Issues 42 Pull Requests Projects Releases Wiki Activity

Clean up authentication system #56629

New Issue
Open
opened 2018-08-31 14:52:25 +02:00 by Sybren A. Stüvel · 1 comment
Sybren A. Stüvel commented 2018-08-31 14:52:25 +02:00
Copy Link

The current authentication system is a big pile of microwave spaghetti (not to be confused with delicious spaghetti) and should be cleaned up.

  • Stop calling authentication tokens 'id'. For example, currently session['user_id'] is an authentication token.
  • Stop putting secret information in the session. The aforementioned session['user_id'] is sent as-is to the web browser. This is like sending a password back and forth all the time.
  • Have one module that handles authentication, and one place to store the authentication information once someone is logged in succesfully.
  • Either accept a Authorization header or do a CSRF check, but don't do both.
  • Create one way to load the user from the database in the authentication system. Currently a UserClass instance can be created empty with only an authentication token, or filled with information from the database. It's unclear which one is used in which situation.
The current authentication system is a big pile of microwave spaghetti (not to be confused with delicious spaghetti) and should be cleaned up. - Stop calling authentication tokens 'id'. For example, currently `session['user_id']` is an authentication token. - Stop putting secret information in the session. The aforementioned `session['user_id']` is sent as-is to the web browser. This is like sending a password back and forth all the time. - Have one module that handles authentication, and one place to store the authentication information once someone is logged in succesfully. - Either accept a `Authorization` header or do a CSRF check, but don't do both. - Create one way to load the user from the database in the authentication system. Currently a `UserClass` instance can be created empty with only an authentication token, or filled with information from the database. It's unclear which one is used in which situation.
Sybren A. Stüvel commented 2018-08-31 14:52:25 +02:00
Author
Copy Link

Added subscribers: @dr.sybren, @fsiddi

Added subscribers: @dr.sybren, @fsiddi
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels   
legacy project
Infrastructure: Websites

  
legacy project
Pillar

  
legacy project
Pillar Framework

  
legacy project
Pillar Website

  
Priority::High

   
Priority::Low

   
Priority::Normal

   
Status::Archived

   
Status::Confirmed

   
Status::Resolved

   
Type::Bug

   
Type::Design

   
Type::Patch

   
Type::Report

   
Type::To Do
No Label
legacy project
Infrastructure: Websites
legacy project
Pillar
legacy project
Pillar Framework
legacy project
Pillar Website
Priority::High
Priority::Low
Priority::Normal
Status::Archived
Status::Confirmed
Status::Resolved
Type::Bug
Type::Design
Type::Patch
Type::Report
Type::To Do
Milestone
Clear milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
No Assignees
1 Participants
Notifications
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: archive/pillar#56629
No description provided.
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?