archive/pillar
0
0
Fork 0
Code Issues 42 Pull Requests Projects Releases Wiki Activity

Clean up authentication system #56629

New Issue
Open
opened 2018-08-31 14:52:25 +02:00 by Sybren A. Stüvel · 1 comment
Sybren A. Stüvel commented 2018-08-31 14:52:25 +02:00
Copy Link

The current authentication system is a big pile of microwave spaghetti (not to be confused with delicious spaghetti) and should be cleaned up.

  • Stop calling authentication tokens 'id'. For example, currently session['user_id'] is an authentication token.
  • Stop putting secret information in the session. The aforementioned session['user_id'] is sent as-is to the web browser. This is like sending a password back and forth all the time.
  • Have one module that handles authentication, and one place to store the authentication information once someone is logged in succesfully.
  • Either accept a Authorization header or do a CSRF check, but don't do both.
  • Create one way to load the user from the database in the authentication system. Currently a UserClass instance can be created empty with only an authentication token, or filled with information from the database. It's unclear which one is used in which situation.
The current authentication system is a big pile of microwave spaghetti (not to be confused with delicious spaghetti) and should be cleaned up. - Stop calling authentication tokens 'id'. For example, currently `session['user_id']` is an authentication token. - Stop putting secret information in the session. The aforementioned `session['user_id']` is sent as-is to the web browser. This is like sending a password back and forth all the time. - Have one module that handles authentication, and one place to store the authentication information once someone is logged in succesfully. - Either accept a `Authorization` header or do a CSRF check, but don't do both. - Create one way to load the user from the database in the authentication system. Currently a `UserClass` instance can be created empty with only an authentication token, or filled with information from the database. It's unclear which one is used in which situation.
Sybren A. Stüvel commented 2018-08-31 14:52:25 +02:00
Author
Copy Link

Added subscribers: @dr.sybren, @fsiddi

Added subscribers: @dr.sybren, @fsiddi
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
Priority::High
Priority::Low
Priority::Normal
Status::Archived
Status::Confirmed
Status::Resolved
Type::Bug
Type::Design
Type::Patch
Type::Report
Type::To Do
legacy project
Infrastructure: Websites
legacy project
Pillar
legacy project
Pillar Framework
legacy project
Pillar Website
No Label
Priority::Normal
Status::Confirmed
Type::To Do
legacy project
Pillar
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
blender-admin
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: archive/pillar#56629
No description provided.
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?