[Catalog-sig] pythonpackages.com beta security
Richard Jones
richard at python.org
Fri Jul 20 06:20:43 CEST 2012
We implemented OAuth for you and crate.io. Why did you give up?
Richard
On 20 July 2012 12:39, Alex Clark <aclark at aclark.net> wrote:
> Hi,
>
>
> Earlier in the year I announced the pythonpackages.com alpha[1] and there
> was some helpful discussion in that thread about security. We are now in
> beta and since then, I've
>
> - totally abandoned the idea of using pypissh
> - investigated using PyPI oauth[3], but gave up
> - settled on saving users credentials in an encrypted session cookie[4]
>
> While not ideal, I'm fairly happy with the fact that it works and is "secure
> enough". However I'd very much appreciate some additional eyes on the
> implementation. The (very simple) pyramid code is:
>
>
> if 'submit' in request.POST:
> username = request.POST['username']
> password = request.POST['password']
> cookieval = {'username': username, 'password': password}
> request.session[config.COOKIE_PYPI] = cookieval
>
>
> And the beta is available to anyone who signs up here:
> http://pythonpackages.com/signup, then signs in with their GitHub account.
> You can then go here:
>
> - https://pythonpackages.com/manage/account/pypi
>
> and fill in your PyPI credentials (or bogus credentials for testing) then
> verify you cannot easily extract the account info from the beaker.session.id
> cookie
>
>
> Thanks for any feedback,
>
>
> Alex
>
>
> [1] http://mail.python.org/pipermail/catalog-sig/2012-January/004152.html
>
> [2] http://pypi.python.org/pypi/pypissh/1.4
>
> [3] https://bitbucket.org/loewis/pypi/changeset/b034fda5bef9
>
> [4] http://beaker.readthedocs.org/en/latest/sessions.html#encryption
>
>
>
> --
> Alex Clark · http://pythonpackages.com/ONE_CLICK_RELEASE
>
> _______________________________________________
> Catalog-SIG mailing list
> Catalog-SIG at python.org
> http://mail.python.org/mailman/listinfo/catalog-sig
>
More information about the Catalog-SIG
mailing list