Closed mattupstate closed 9 years ago
hairychris
commented
9 years ago PyJWT looks like a sensible choice, much more actively maintained and they responded to the choosing your own algorithm security issue quickly back in March. We just need to make sure to whitelist algorithms to avoid any issues.
Changing user to identity is a good change too, more flexible.
I'll be using this over the weekend so will add anything else as it comes up.
f0t0n
commented
9 years ago So since it's not just a matter of refactoring but also of security measure (PyJWT vs itsdangerous) could we speed-up the new version release based on current PR?
Xk0nSid
commented
9 years ago @mattupstate When is this update to be merged with master? I'm planning to use this in a project. Would prefer PyJWT version instead of itsdangerous version.
mattupstate
commented
9 years ago I'll do my best to address this, but I can't make a promise as to when because I'm getting married next week. So hopefully you can imagine how busy I've been recently.
Xk0nSid
commented
9 years ago @mattupstate First of all congratulations and no worries, I can still work with the itsdangerous version.
Please not that I've removed the notion of a user and went with the notion of identity because JWT's are not necessarily always for the common concept of a user, that being API interactions initiated by human interaction.