-
Notifications
You must be signed in to change notification settings - Fork 419
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add a specific salt key for default_bucket ID generation #881
Comments
@Natim How many characters and base salt do you think should be used? |
As much as security people want's to use. Right now they want to use this command to generate the salt:
|
@Natim how do we plan to take input for the salt (or the pattern) from the user? |
The same way we do for the userHmacSecret I guess. Using the command |
Related #691 |
@Natim So basically we need to make this change in the file https://github.com/Kinto/kinto/blob/master/kinto/plugins/default_bucket/init.py#L172
|
Yes something like that as well as adding some tests and updating the kinto command.
|
Hello there i was looking at this issue and trying to fix it, i have a question related testing the changes, def test_default_bucket_exists_and_has_user_id(self):
bucket = self.app.get(self.bucket_url, headers=self.headers)
result = bucket.json
settings = self.app.app.registry.settings
hmac_secret = settings['userid_hmac_secret']
bucket_id = hmac_digest(hmac_secret, self.principal)[:32]
self.assertEqual(result['data']['id'], str(UUID(bucket_id)))
self.assertEqual(result['permissions']['write'], [self.principal]) but the method is not been invoked, i don't have to much experience in python so i don't know how to invoke the method that is need to be tested of the new behaviour implementation or maybe i'm missing something. Kind regards |
The existing function needs a It also occurs to me that this task might be obsoleted by #1736. |
Is this still relavant? If yes, i'd like to try and pick it up? |
Yes |
@Natim, I would like to pick this up(if its still available), could you please explain what need to be done here, and why? |
@Natim is this still available? |
Hey guys, I'm new to open source development and would like to contribute to this issue, if its still open. Thanks. |
Hello, |
Here https://github.com/Kinto/kinto/blob/master/kinto/plugins/default_bucket/__init__.py#L172
We are using the same secret as the BasicAuth plugin.
We should fallback to the basic auth secret but we should use another prefered key that doesn't contains secret but salt in its name.
The text was updated successfully, but these errors were encountered: