The blog post was excellent, it made many things clear to me. Thanks for sharing it :)
I just feel uncomfortable with generating a new token using a token. One of the main advantages of using tokens (instead of just authenticating using username/password) is security. A quote from the blog post:
Tokens are usually given out with an expiration time, after which they become invalid and a new token needs to be obtained. The potential damage that can be caused if a token is leaked is much smaller due to their short life span.
In the current implementation, if a token is leaked, the attacker can use it to generate a new token before the leaked token expires, then he/she can repeat the same procedure with the newly generated tokens. This renders a token as powerful as its corresponding username/password pair (except that it needs to be renewed before its expiration period, and I don't think that this would really stop a malicious attacker).
In this pull request, I have used two HTTPBasicAuth() objects, one that authenticates using a username/password pair, and one that authenticates using a token. This way, a view function can expect authentication using either one of the two mechanisms (but not both). So, get_token() only works with credentials, and get_resource() only works with tokens.
P.S. : This also makes the verify_password functions cleaner and more understandable.
Thanks for your time, if I am wrong with anything, feel free to correct me :)
The blog post was excellent, it made many things clear to me. Thanks for sharing it :)
I just feel uncomfortable with generating a new token using a token. One of the main advantages of using tokens (instead of just authenticating using username/password) is security. A quote from the blog post:
In the current implementation, if a token is leaked, the attacker can use it to generate a new token before the leaked token expires, then he/she can repeat the same procedure with the newly generated tokens. This renders a token as powerful as its corresponding username/password pair (except that it needs to be renewed before its expiration period, and I don't think that this would really stop a malicious attacker).
In this pull request, I have used two HTTPBasicAuth() objects, one that authenticates using a username/password pair, and one that authenticates using a token. This way, a view function can expect authentication using either one of the two mechanisms (but not both). So,
get_token()
only works with credentials, andget_resource()
only works with tokens.P.S. : This also makes the verify_password functions cleaner and more understandable.
Thanks for your time, if I am wrong with anything, feel free to correct me :)