This replaces generate_csrf_code and generate_code with just 1 flexible function. And of course the same for verify_csrf_code and verify_code.
Use HMAC, which is what you want to verify integrity and authentication of a code.
No more “valid for between x and y minutes”, exact time-to-live values are baked into the code.
Can include additional data that has to be included in the code and can’t be part of the message. In our case, scope has to be included because the stateless selfauth can’t verify it otherwise.
Please review before merging so we are sure nothing blows up. I have been able to correctly authenticate to Telegraph with this.
This replaces
generate_csrf_codeandgenerate_codewith just 1 flexible function. And of course the same forverify_csrf_codeandverify_code.xandyminutes”, exact time-to-live values are baked into the code.scopehas to be included because the stateless selfauth can’t verify it otherwise.Please review before merging so we are sure nothing blows up. I have been able to correctly authenticate to Telegraph with this.