Unify handling of the current user of a request #4803
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
ThiefMaster
force-pushed
the
session-user
branch
5 times, most recently
from
8f1da08 to
ed3da3f
Compare
- database: prevent rollbacks - test client: run each request in a separate app context - add `make_test_client` fixture to create new clients
In that case the original exception is likely more relevant so we avoid re-raising the authentication error but rather silently discard the user that failed to authenticate.
ThiefMaster
force-pushed
the
session-user
branch
from
ed3da3f to
3d8d787
Compare
We keep accepting the old links for the dashboard ical feed but no longer generate such URLs.
We do not need to encode the data in the token, a simple signature is actually enough since the user id is prepended to the signature part of the token Also use sha256 instead of sha1 for the HMAC signature. While SHA1 is still fine for HMAC purposes, using a stronger algorithm doesn't have any disadvantages and the tokens are still reasonably short.
Happened if someone had no title
To be removed when cc2cab2 gets reverted (or earlier if we can ditch tokens-in-querystring before the implicit flow itself)
The CSRF checks no longer need to be disabled manually because any oauth-authenticated request is no longer subject to CSRF checks.
We always put a user id in that url, and accessing it without one actually failed with a KeyError
Looks like we don't need it in the end...
The oauth RFCs actually specify statuscodes, so replacing everything with 400 is ugly
ThiefMaster
force-pushed
the
session-user
branch
from
11fd0dc to
bb9eba3
Compare
plourenco
approved these changes
Mar 4, 2021
There was a problem hiding this comment.
Nice, I like the way this is heading 👍
For future reference, we talked about the possibility of keeping the simple assignment session.user = instead of the setter, but that behaviour is only meant to be restored later when session.user is replaced and setting and reading to the exact same thing.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
My approach is to first use the slightly ugly solution where
session.userreturns the current user, and then later (in a separate PR) replacesession.userwith something else.