Skip to content

stateless tokens#32

Merged
chriddyp merged 7 commits intomasterfrom
stateless
Mar 27, 2018
Merged

stateless tokens#32
chriddyp merged 7 commits intomasterfrom
stateless

Conversation

@chriddyp
Copy link
Copy Markdown
Member

@chriddyp chriddyp commented Mar 26, 2018

No description provided.

chriddyp added 5 commits March 26, 2018 17:54
@chriddyp
remove stateful access tokens
3938ac6 
dash that run on multiple workers need to be stateless
@chriddyp
set access tokens with time expiring signatures
366b309 
- secret key is by default the user’s API key. can be over-ridden by
setting `app.server.secret_key` (flask’s convention)
- an access cookie is created with a time-expiring signature. this is
hard to guess without the user’s secret key.
- if an invalid access cookie is provided or if the signature has
expired, we check if the user has access to the file with the plotly
api key and their oauth token (also stored as a cookie).
- if they are granted access, then a new time expiring signature is set
as a cookie
- if access wasn’t granted, the request returns with a 403
@chriddyp
add itsdangerous to required packages
3a28627 
i’m pretty sure that it’s part of flask’s required packages but putting
it in just to be safe
@chriddyp
add server = app.server so that we can test with gunicorn
b993abf 
`gunicorn` usage:
```
gunicorn usage_plotly_auth:server —workers 4
```
@chriddyp
pep 🎱
147e566
@chriddyp
Copy link
Copy Markdown
Member Author

chriddyp commented Mar 26, 2018
edited
Loading

@scjody - Could you review this one?

I reread the PlotlyAuth code today and noticed that the server was mutating access tokens in memory. This means that PlotlyAuth is unreliable in multi-process apps as one worker's access token is different from the next.

This PR simplifies things keeping the auth module immutable. See 366b309 for the new approach.

  • Tested locally with multiple workers
  • Tested on buildly

scjody
scjody requested changes Mar 27, 2018
View reviewed changes
Copy link
Copy Markdown

@scjody scjody left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good overall! (Nice commit history.)

I'd prefer not to use the user's API key in this way. As a general principle it's equivalent to a Plotly password so the less we use it the better.

In this specific case, the secret key will be the same for all of the apps owned by a given user, so that leads to the possibility of an attacker generating a token with one app (that they're allowed to access) and using it with another (that they aren't).

It looks like you could avoid that risk by adding the app name as a "salt": http://pythonhosted.org/itsdangerous/#the-salt

Suggested longer term alternatives:

  • For local testing, is it possible to read a hidden file from the app directory (and create it if it doesn't exist)? If this file lives in .gitignore the user won't be able to commit it by accident.
  • For On-Prem, we could add a random string in 2.4.0 and make it available via an environment variable.

At this point we're all busy so I'd go ahead with the salt-based approach and log an issue re: the improvements (or just add to the discussion in #10776).

@chriddyp
Copy link
Copy Markdown
Member Author

chriddyp commented Mar 27, 2018

In this specific case, the secret key will be the same for all of the apps owned by a given user, so that leads to the possibility of an attacker generating a token with one app (that they're allowed to access) and using it with another (that they aren't).

Good call 👍

For local testing, is it possible to read a hidden file from the app directory (and create it if it doesn't exist)? If this file lives in .gitignore the user won't be able to commit it by accident.

Yup, this works for most cases. Unfortunately heroku doesn't allow you to write to the filesystem, so it won't work for those users deploying to Heroku. However, they can just manually supply a secret_key using the steps I mentioned in one of the doc strings.

For On-Prem, we could add a random string in 2.4.0 and make it available via an environment variable.

Yeah, great idea. I'll log an issue.

@chriddyp
add salt to TimestampSigner
4578f1a 
this prevents malicious users from using an access token from one dash
app (that they have access to) to access another dash app (that they
shouldn’t have access to)
scjody
scjody approved these changes Mar 27, 2018
View reviewed changes
Copy link
Copy Markdown

@scjody scjody left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💃 after testing

@chriddyp chriddyp merged commit b4afdcc into master Mar 27, 2018
@chriddyp chriddyp deleted the stateless branch March 27, 2018 19:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@scjody scjody scjody approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@chriddyp @scjody