[Catalog-sig] pythonpackages.com beta security
Alex Clark
aclark at aclark.net
Fri Jul 20 04:39:28 CEST 2012
Hi,
Earlier in the year I announced the pythonpackages.com alpha[1] and
there was some helpful discussion in that thread about security. We are
now in beta and since then, I've
- totally abandoned the idea of using pypissh
- investigated using PyPI oauth[3], but gave up
- settled on saving users credentials in an encrypted session cookie[4]
While not ideal, I'm fairly happy with the fact that it works and is
"secure enough". However I'd very much appreciate some additional eyes
on the implementation. The (very simple) pyramid code is:
if 'submit' in request.POST:
username = request.POST['username']
password = request.POST['password']
cookieval = {'username': username, 'password': password}
request.session[config.COOKIE_PYPI] = cookieval
And the beta is available to anyone who signs up here:
http://pythonpackages.com/signup, then signs in with their GitHub
account. You can then go here:
- https://pythonpackages.com/manage/account/pypi
and fill in your PyPI credentials (or bogus credentials for testing)
then verify you cannot easily extract the account info from the
beaker.session.id cookie
Thanks for any feedback,
Alex
[1] http://mail.python.org/pipermail/catalog-sig/2012-January/004152.html
[2] http://pypi.python.org/pypi/pypissh/1.4
[3] https://bitbucket.org/loewis/pypi/changeset/b034fda5bef9
[4] http://beaker.readthedocs.org/en/latest/sessions.html#encryption
--
Alex Clark · http://pythonpackages.com/ONE_CLICK_RELEASE
More information about the Catalog-SIG
mailing list