miguelgrinberg
commented
2 years ago How about a JWT?
Closed dunkmann00 closed 2 years ago
miguelgrinberg
commented
2 years ago How about a JWT?
dunkmann00
commented
2 years ago I was thinking of this, I just liked that itsdangerous seemed to be a very simple implementation. Some of the JWT libraries (like authlib) seem to be overkill for just signing the token and adding an expiration. Especially when its a small project and I'm not worried about adhering to the JWT spec completely.
What are your thoughts on URLSafeTimedSerializer? It seems that would be similar, with one difference being instead of setting the expiration when encoding the token, it would be determined when decoding the token. But I think that would still work well if used in situations like you use it in Flasky.
miguelgrinberg
commented
2 years ago The pyjwt package is as simple as itsdangerous.
I would probably not implement the expiration myself, as that sets a bad example. Normally you'd want security features to be community reviewed. Telling people that they can implement security on their own is not a message I'd like to share, as that can be the source of bugs and possible exploits.
dunkmann00
commented
2 years ago pyjwt does look just as simple, thanks for pointing me in that direction!
And I agree. I may have been misleading in what I wrote. In URLSafeTimedSerializer the loads function takes a max_age parameter that handles the expiration. I checked and this is the Serializer that Flask uses to sign the session cookie.
I think this gives me a better idea of how to proceed. Thanks for the help!
realJustinLee
commented
2 years ago I've posted a question on stackoverflow which might help https://stackoverflow.com/questions/71292764/which-timed-jsonwebsignature-serializer-replacement-for-itsdangerous-is-better
Berthran
commented
1 month ago Thanks for the insights shared. It has helped me too.
I first just want to say thanks for providing such an awesome repo and book to learn how to design and build web apps in Flask. Super useful and easy to understand.
I was recently working on a project and realized that
TimedJSONWebSignatureSerializeris now deprecated initsdangerous. I was just wondering what you would suggest switching to in order to send signed timed tokens?Thanks @miguelgrinberg!