Comments (8)
Your approach looks very smart for your use case.
Re. the v1 => v2 upgrade: do a replace-all of url_auth_token
by sesame
across your project — assuming you don't have anything called url_auth_token
and that isn't related to django-sesame. That should do it :-)
from django-sesame.
It's unfortunate that django-sesame relies so heavily on global settings, however:
- there aren't many other ways to configure a middleware (which was the only thing django-sesame supported at first);
- this problem is quite prevalent in the Django ecosystem, so no big surprise there :-/
If you try to implement what you're proposing you'll discover that it triggers large code changes, because the timestamp checking code runs before attempting to load the User instance.
I have two ideas that may do the job more easily:
- writing a custom middleware or auth backend that extends django-sesame's functionality by adding this check
- overriding the SESAME_MAX_AGE setting. Sure, this is inelegant, but perhaps it does the job. If you're stuck with v1 tokens — these days v2 are the default — don't forget this: https://github.com/aaugustin/django-sesame/blob/56a7b534b60a3860b766c2d224bc836c79853486/src/sesame/backends.py
You didn't tell how you were using django-sesame exactly. If you have a basic setup with the middleware, try option 1. If you're handling tokens in your own code, try option 2.
from django-sesame.
hey, thx for the timely answer.
My 5 dimes:
If you try to implement what you're proposing you'll discover that it triggers large code changes, because the timestamp checking code runs before attempting to load the User instance.
My initial intention actually didn't need the user, just based on url path would have been sufficient... so a simple request object would have been sufficient with a callback logic.
Re you're ideas:
- True, True, but generally when I have a lib in place I try to avoid somehow "hijacking" its logic so the code stays simple and easy to read for other devs. but yes it might be an option. Actually I am using the default middleware and sub-classed your backend...
- I really love simplicity, so make a setting flattering back'n forth isn't what I would do...
If you're stuck with v1 tokens — these days v2 are the default
right, but haven't upgraded yet. when the new version came out my tests started failing and I quickly pinned back to the old version, didn't had time yet to investigate why. Will do later this year. Quickly checked the README and yes a general 2.0 release note is there, but a handy step-by-step-no-need-for-thinking upgrade/migration guide would have been fantastic.
As I wasn't patient enough to wait for an answer (you never know in open source when you get one) - I stumpled upon a short note by yourself regarding the Slack
-like magic link approach. I just fell in love with it and implemented a reasonable max age value (24h) and a quick automatism, that upon access fail but general token/user validation the app sends out a fresh email with a magic link pointing to the same url path and informs the user to check his inbox. It's already live and I'm seeing people using it without any flaw.
From my perspective this a) uses sesame
as is, b) keeps code simple, c) works well for users convenience and d) still provides some reasonable data protection for the users personal data.
From my side we can close this ticket here, if you agree...
from django-sesame.
btw. if you come to be around Dresden, Germany. You must ping me for a coffee!
from django-sesame.
hey, coming back here... looks like your magic links are really being loved by my apps users.
they now asked me to have those urls printed on thousands of papers as QR code. so now I really have to have different expiration times for those urls. I assume putting the time/date into the encrypted string is a stupid idea (to prevent some kind of local storage), isn't it?
from django-sesame.
I filed #67 because I think this use case should have built-in support.
from django-sesame.
(The only reason why I rejected this issue earlier is because it required a bit of effort to implement, not because it's a bad idea.)
from django-sesame.
wow. that would be fantastic. let me me be your early alpha tester :)
from django-sesame.
Related Issues (20)
- struct.pack error creating token using custom User model with UUID as pk HOT 1
- Feature: Enforce same session link usage HOT 3
- Documentation: clarify dynamic max_age is ignored with SESAME_MAX_AGE = None (the default) HOT 2
- Discussion: what is the benefit of going through the authentication backend system? HOT 4
- Non existent user ID returned / Security concerns HOT 3
- Authenticate a view without user HOT 2
- Django admin does not log in after adding Middleware HOT 10
- Rename master branch to main HOT 1
- sesame tokens seem to be missing a bunch of entropy on my Django installation (first characters are all 'AAAAAA' HOT 3
- Login view request HOT 11
- Is ModelBackend actually needed? HOT 2
- Expired Token: enhance user journey HOT 2
- Support changing signature length HOT 1
- Add support for SECRET_KEY_FALLBACKS
- Typo in tutorial for Login by email
- Deprecated dependencies HOT 2
- minimum ua parser version HOT 2
- SESAME_PRIMARY_KEY_FIELD=uuid does not allow login HOT 2
- Add an option to invalidate magic links on email change HOT 4
- override_settings doesn't update sesame settings HOT 6
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from django-sesame.