Comments (9)
aaugustin
commented on July 29, 2024
This would require keeping a record of generated tokens on the server. However django-sesame is currently stateless. So it's a different design.
Your version will be simpler than django-sesame because you don't need any crypto, you just need to store (user_id, random_token) pairs and delete them when they're used.
django-sesame is just a few dozen lines of code on top of Django's utilities. There will be little overlap with a library implementing the behavior you're describing.
That's why I think it makes more sense to implement one-time tokens in a separate library.
from django-sesame.
mitchelljkotler
commented on July 29, 2024
Not sure if I should just start a new issue since it has been quite a while, but this is something I am interested in again. This blog post describes a way to achieve this:
https://simpleisbetterthancomplex.com/tutorial/2016/08/24/how-to-create-one-time-link.html
Basically, just add the user's last login to the hash, so that the hash becomes valid after they login again. This retains the simplicity of your design, with the option for one time use tokens. Would you be open something like this?
from django-sesame.
aaugustin
commented on July 29, 2024
I don't have a strong opinion. How would user opt-in to that behavior? With a setting? With a different API for generating tokens?
from django-sesame.
mitchelljkotler
commented on July 29, 2024
I was thinking a setting, although you could also have an option on get_parameters and get_query_string to override it.
from django-sesame.
mitchelljkotler
commented on July 29, 2024
Thinking about it more, mixing the two will complicate the decoding logic.... might be easiest for it to just be a setting so you always know whether to expect the login date to be there or not. If you would accept this, I would be willing to write a PR for it... however, I do need UUID primary keys for users, so would wait until that is merged in.
from django-sesame.
aaugustin
commented on July 29, 2024
I'm OK with a global setting to opt-in to single use tokens.
from django-sesame.
mitchelljkotler
commented on July 29, 2024
I have created a pull request for this - please review it and let me know if it needs any fixes to be merged in. Thanks!
from django-sesame.
aaugustin
commented on July 29, 2024
Yes I've had it on my radar this week. Very busy week, unfortunately.
from django-sesame.
mitchelljkotler
commented on July 29, 2024
Ok, no rush - just wanted to make sure you saw it. Thanks.
…On Fri, Apr 5, 2019, 5:20 PM Aymeric Augustin ***@***.***> wrote:
Yes I've had it on my radar this week. Very busy week, unfortunately.
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<#4 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AAITotfkamFBrIYzHZvaWvbdWuYhwps9ks5vd74RgaJpZM4FzV2T>
.
from django-sesame.
Related Issues (20)
- struct.pack error creating token using custom User model with UUID as pk HOT 1
- Feature: Enforce same session link usage HOT 3
- Documentation: clarify dynamic max_age is ignored with SESAME_MAX_AGE = None (the default) HOT 2
- Discussion: what is the benefit of going through the authentication backend system? HOT 4
- Non existent user ID returned / Security concerns HOT 3
- Authenticate a view without user HOT 2
- Django admin does not log in after adding Middleware HOT 10
- Rename master branch to main HOT 1
- sesame tokens seem to be missing a bunch of entropy on my Django installation (first characters are all 'AAAAAA' HOT 3
- Login view request HOT 11
- Is ModelBackend actually needed? HOT 2
- Expired Token: enhance user journey HOT 2
- Support changing signature length HOT 1
- Add support for SECRET_KEY_FALLBACKS
- Typo in tutorial for Login by email
- Deprecated dependencies HOT 2
- minimum ua parser version HOT 2
- SESAME_PRIMARY_KEY_FIELD=uuid does not allow login HOT 2
- Add an option to invalidate magic links on email change HOT 4
- override_settings doesn't update sesame settings HOT 6
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from django-sesame.