Comments (19)
It's technically possible to add this feature to the middleware.
I'm wondering if it needs to be configurable or if we should just make a choice here.
That choice is a tradeoff between page load time (an extra redirect) and URL cleanliness.
Currently django-sesame supports running without django.contrib.sessions (theoretically — I never tested it and I don't expect anyone to do that). We shouldn't redirect in that case.
from django-sesame.
I pushed version 1.4 to PyPI with this feature.
from django-sesame.
I can't imagine many scenarios where I'd want to keep the token in the URL.
I'm building an app (nothing sensitive and well within the security caveats) that will generate unique event URLs to be shared via text/chat/etc. and take advantage of the password-less login provided by this package. If the token remains in the URL, it increases the chances that someone will share a URL that inadvertently logs in as that user.
from django-sesame.
Agreed, that's why I'm thinking it could be the default behavior (with no option to change it).
That would require modifying this block:
django-sesame/sesame/middleware.py
Lines 32 to 35 in b546c02
to add something like:
# deconstruct URL
# remove url_auth_token parameter
# reconstruct URL
# redirect
from django-sesame.
👍 That flow is very similar to what I've implemented in another app to achieve this effect.
from django-sesame.
PR welcome :-)
NB - you'll need to tweak __call__
as well.
from django-sesame.
Should the token be removed from the URL if authentication fails?
from django-sesame.
Good question! Probably not?
from django-sesame.
I think I agree. The PR I submitted keeps the token on failed auth.
from django-sesame.
Unfortunately this is not working for safari, as it is against setting cookies in 302 redirects.
When someone wraps the url with the token (for example to make a bit.ly short url, or an automated url defense software ) it fails in safari (both ios and desktop.)
from django-sesame.
is there any chance for you to make this optional ?
from django-sesame.
This sounds like a side-effect of the over-zealous "Protection Against First Party Bounce Trackers" in ITP 2.0.
Do all redirects happen on the same domain? Or do you change first-party domain e.g. from https://example.com/ to https://www.example.com/?
from django-sesame.
The domain was different, which Is probably the case when you do url shortening, same goes for url defenders.
Unfortunately this failed for us in the middle of a huge demo when the guys tried using it with their corporate email (which uses proof point.com)
from django-sesame.
To be honest I'd rather implement something that works well for most users rather expect them to learn the intricacies of ITP and determine that they may need to tweak a setting.
`
Perhaps we could redirect only in circumstances that are deemed "ITP-safe", for example when there is no referrer from a different domain — there should be one from proofpoint.com in your example.
from django-sesame.
I think that's fair enough.
from django-sesame.
For the record, there've been several discussions of ITP on the django-developers mailing-list. Apparently there are many use cases where ITP is over-zealous and blocks perfectly legitimate behavior.
from django-sesame.
Probably we should just sniff the user agent disable the redirection on Safari... It isn't critical to django-sesame's functionality.
from django-sesame.
That would have been a good plan if it had been possible to detect Safari reliably with its user agent...
from django-sesame.
Does #22 work for you? Don't forget to pip install ua-parser
, else it won't do anything.
I didn't make ua-parser a mandatory dependency because I'm not comfortable adding 0.2-0.5s to the boot time of every app that uses django-sesame just because Safari is annoying.
from django-sesame.
Related Issues (20)
- struct.pack error creating token using custom User model with UUID as pk HOT 1
- Feature: Enforce same session link usage HOT 3
- Documentation: clarify dynamic max_age is ignored with SESAME_MAX_AGE = None (the default) HOT 2
- Discussion: what is the benefit of going through the authentication backend system? HOT 4
- Non existent user ID returned / Security concerns HOT 3
- Authenticate a view without user HOT 2
- Django admin does not log in after adding Middleware HOT 10
- Rename master branch to main HOT 1
- sesame tokens seem to be missing a bunch of entropy on my Django installation (first characters are all 'AAAAAA' HOT 3
- Login view request HOT 11
- Is ModelBackend actually needed? HOT 2
- Expired Token: enhance user journey HOT 2
- Support changing signature length HOT 1
- Add support for SECRET_KEY_FALLBACKS
- Typo in tutorial for Login by email
- Deprecated dependencies HOT 2
- minimum ua parser version HOT 2
- SESAME_PRIMARY_KEY_FIELD=uuid does not allow login HOT 2
- Add an option to invalidate magic links on email change HOT 4
- override_settings doesn't update sesame settings HOT 6
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from django-sesame.