Comments (3)
django-sesame is primarily designed to provide secure authentication tokens using only state available in the database (vs. in the session).
If you're using sessions and you're storing them on the server, you don't need the cryptography provided by django-sesame. You can generate a random token with secrets.token_urlsafe, store that token and its expiry date in the session, then check that you're getting the same token before the expiry date from the verification link.
That doesn't work if you're storing sessions in cookies because they are signed but not encrypted, meaning that the user could decode the session and look up the token there, defeating the purpose. In that situation, you could create a random token and store it in the session, then use scoped tokens with scope=f"browser:{your_random_token}
.
Can you share your solution? I'm curious to see what it looks like. Depending on how much code and complexity it adds to the library, I may consider it. Specifically, I want to check if you've done it in a way that doesn't cause token generation to know about sessions or cookies.
from django-sesame.
My implementation was an afterthought. I had already created the whole magic link flow and realized that it would be far too easy to leak out the url to someone that likely should not have it (thinking insecure email transit, sharing links etc - everything you have already mentioned)
So my implementation, rather than just using session alone, it inverted the process. It added the Primary Key of the login link to the session and compared at use time. I am thinking this could be really easy for this repo to implement as it could be put behind a setting on both the generation and the use.
The benefit to creating the code in the DB is purely for analytical purposes - who is completing the process and who is not. If you simply added the code to the session you would not have that data unless you stored it elsewhere.
The one line of code I think you could add (and the most salient from my code) is:
request.session["login_code_pk"] = login_code.pk
Pretty dead simple on the generation side.
The more questionable (for ease of implementation) code for the validation side is something along the lines of:
pk = request.session.get("login_code_pk")
expiry = now() - timedelta(hours=1)
try:
login_code = models.LoginCode.objects.get(code__iexact=code, used=False, pk=pk, created__gt=expiry)
except models.LoginCode.DoesNotExist:
return None
login_code.used = True
login_code.used_ip, is_routable = get_client_ip(request)
login_code.save()
return login_code.user
from django-sesame.
Clear - thank you. I think there's a valid use case here.
This would require adding a new API or extending the current API because get_user takes a User
in argument, not a Request
.
from django-sesame.
Related Issues (20)
- struct.pack error creating token using custom User model with UUID as pk HOT 1
- Documentation: clarify dynamic max_age is ignored with SESAME_MAX_AGE = None (the default) HOT 2
- Discussion: what is the benefit of going through the authentication backend system? HOT 4
- Non existent user ID returned / Security concerns HOT 3
- Authenticate a view without user HOT 2
- Django admin does not log in after adding Middleware HOT 10
- Rename master branch to main HOT 1
- sesame tokens seem to be missing a bunch of entropy on my Django installation (first characters are all 'AAAAAA' HOT 3
- Login view request HOT 11
- Is ModelBackend actually needed? HOT 2
- Expired Token: enhance user journey HOT 2
- Support changing signature length HOT 1
- Add support for SECRET_KEY_FALLBACKS
- Typo in tutorial for Login by email
- Deprecated dependencies HOT 2
- minimum ua parser version HOT 2
- SESAME_PRIMARY_KEY_FIELD=uuid does not allow login HOT 2
- Add an option to invalidate magic links on email change HOT 4
- override_settings doesn't update sesame settings HOT 6
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from django-sesame.