[Catalog-sig] pythonpackages.com beta security

Alex Clark aclark at aclark.net
Fri Jul 20 06:37:42 CEST 2012


On 7/20/12 12:20 AM, Richard Jones wrote:
> We implemented OAuth for you and crate.io. Why did you give up?


Perhaps "give up" is not the right description. I postponed until I can 
figure it out, and went with an encrypted session cookie in the 
meantime, hoping it would be safe enough and that users would go for it.


As for oauth, at least in my case, I'm looking for something that can be 
implemented very simply e.g.:


- http://developer.github.com/v3/oauth/


(my implementation is done totally with requests)


IIUC, there are no docs for the PyPI implementation of oauth and it's 
oauth1? (vs oauth2)? If it currently works similar to GitHub's 
implementation, then I should take another look. If it doesn't, then we 
should talk about the details.



Alex




>
>
>      Richard
>
> On 20 July 2012 12:39, Alex Clark <aclark at aclark.net> wrote:
>> Hi,
>>
>>
>> Earlier in the year I announced the pythonpackages.com alpha[1] and there
>> was some helpful discussion in that thread about security. We are now in
>> beta and since then, I've
>>
>> - totally abandoned the idea of using pypissh
>> - investigated using PyPI oauth[3], but gave up
>> - settled on saving users credentials in an encrypted session cookie[4]
>>
>> While not ideal, I'm fairly happy with the fact that it works and is "secure
>> enough". However I'd very much appreciate some additional eyes on the
>> implementation. The (very simple) pyramid code is:
>>
>>
>>      if 'submit' in request.POST:
>>          username = request.POST['username']
>>          password = request.POST['password']
>>          cookieval = {'username': username, 'password': password}
>>          request.session[config.COOKIE_PYPI] = cookieval
>>
>>
>> And the beta is available to anyone who signs up here:
>> http://pythonpackages.com/signup, then signs in with their GitHub account.
>> You can then go here:
>>
>> - https://pythonpackages.com/manage/account/pypi
>>
>> and fill in your PyPI credentials (or bogus credentials for testing) then
>> verify you cannot easily extract the account info from the beaker.session.id
>> cookie
>>
>>
>> Thanks for any feedback,
>>
>>
>> Alex
>>
>>
>> [1] http://mail.python.org/pipermail/catalog-sig/2012-January/004152.html
>>
>> [2] http://pypi.python.org/pypi/pypissh/1.4
>>
>> [3] https://bitbucket.org/loewis/pypi/changeset/b034fda5bef9
>>
>> [4] http://beaker.readthedocs.org/en/latest/sessions.html#encryption
>>
>>
>>
>> --
>> Alex Clark · http://pythonpackages.com/ONE_CLICK_RELEASE
>>
>> _______________________________________________
>> Catalog-SIG mailing list
>> Catalog-SIG at python.org
>> http://mail.python.org/mailman/listinfo/catalog-sig
>>


-- 
Alex Clark · http://pythonpackages.com/ONE_CLICK_RELEASE



More information about the Catalog-SIG mailing list