[Catalog-sig] Mandatory Reset of PyPI Passwords
Giovanni Bajo
rasky at develer.com
Fri Feb 15 13:14:34 CET 2013
Il giorno 15/feb/2013, alle ore 13:07, Vinay Sajip <vinay_sajip at yahoo.co.uk> ha scritto:
> Richard Jones <richard <at> python.org> writes:
>
>> Please change your passwords
>
> I've done this and it seems to have taken, but I noticed something odd. If I
> click on the "Clear Basic Auth" link, then if I type the new password into the
> login box which pops up, it never accepts the password. However, if I dismiss
> that login box, go back to the PyPI home page and click on the "Login" link, the
> login box *does* accept my new password. Could there be different code paths? I
> tried it a couple of times - yesterday, and again today. It could be me being a
> butterfingers, but I was trying to be careful when typing the password.
I think it's a regression of my patch. The worflow is a bit convoluted because logout() now serves the HTTP 401, but the problem is that you're on /logout anyway, so even if you authorize it, it always logs out and enters the loop.
Not sure how to fix it either. Any reason why we can't axe it all and put a standard login form (leaving basic-auth just for non-browser clients)? We already have cookie-based authentication anyway, so it's a matter of just adding the login form. I can contribute it.
--
Giovanni Bajo :: rasky at develer.com
Develer S.r.l. :: http://www.develer.com
My Blog: http://giovanni.bajo.it
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4346 bytes
Desc: not available
URL: <http://mail.python.org/pipermail/catalog-sig/attachments/20130215/f110ace4/attachment-0001.bin>
More information about the Catalog-SIG
mailing list