-
-
Notifications
You must be signed in to change notification settings - Fork 747
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allow for token revocation with token-based authentication #73
Comments
Hello, you can actually set |
Ok great thanks, I'll try this out and see how this works. So... shouldn't everyone be concerned about revoking/updating tokens? If you have a user log out or change passwords, you need to revoke the token. Also, if a token is somehow exposed, you need to have it revoked. I would say that any model that doesn't allow for this is quite insecure, wouldn't you agree?
|
As it is said in that thread there isn't really any relevant information being disclosed. Also ObjectIds are included with every GET response stream anyway, even if you're using a different unique identifier, so ID scanning to guess service success-rate, time-zone usage ranges etc. would still be possible. |
I've come up with a possible solution. It is simple enough and puts more control in the hands of the API maintainer. It would break backward compatibility though (something I wouldn't worry much about since we're still in alpha):
This leaves the API maintainer with complete freedom on determining the userid value and, since it's being done at the auth level (where the user record is already being looked at), doesn't force multiple database lookups on the user records. In most implementations the By contrast the current implementation only stores Thoughts? |
I think this is a great solution. |
… the results of the refactoring performed in pyeve#73. Added new methods to `eve.io.mongo`: `_convert_query_objectids`, `combine_queries`, `get_value_from_query`, and `query_contains_field`.
Hi everyone.
On the account management page (http://python-eve.org/tutorials/account_management.html), under section 6 of "Accounts with Token Authentication", it says to enable user-restricted resource access as follows:
AUTH_USERNAME_FIELD: 'token'
However, this practice means that tokens can never be revoked, or else users will no longer be able to have access to documents associated with their old tokens.
When logging a user out, I'd like to be able to revoke a token and then generate a new token when they log in. I'd also like to update a token when the user changes his/her password.
How about enabling user-restricted resource access with the id field (an immutable field) and then having an incoming token map to a certain id.
AUTH_USERNAME_FIELD: '_id'
Please correct me if there is something I'm missing.
The text was updated successfully, but these errors were encountered: