Auth, Sessions, Permissions

[jcrubino]

Any clear ideas on how this is best implemented with WebAlch?

[skariel]

let me tell you what is the current situation:

In chronological order-

• the browser receives an almost empty page from the server with instructions to connect to the websocket server.
• when the browser connects to the websocket server for the very first time, it receives a session id
• this session id is stored in a cookie for 3 days (no configuration for this yet)
• when the browser connect for a second time, it tells the webserver it's current session id
• each handler in the server gets a data-structure which belongs to the browser session id.
• these structures are persistent between re-connections of the browser
• in the default version (developers can redefine them) these data-structures are not persisted to disk
• the developer can persist them to disk or wire up mongo or redis, or whatever (I'm not sure how much work it would take)
• the data structures can hold user name, passwords, etc.
• In addition there's a "tab-session" for volatile data like what field is focused in the page.
• The above session is implemented by saving a tab-id into the window object

Other than that there is https, wss which are secure for password transfers,

I suggest to look at what flask did and learn from them...

[skariel]

Just noticed that Tornado already has some support for OAuth, and some default implementatiojns for Google and Facebook:

http://www.tornadoweb.org/en/branch2.0/auth.html

On the downside, it is not yet supported by Python3. So maybe the best steps are to help port it and then integrate into Weba.

[skariel]

Sorry, I was looking at an old version of Tornado (v2.0) in the latest version (v3.2) it does support Python3:

http://www.tornadoweb.org/en/stable/auth.html?highlight=auth#module-tornado.auth

now it also supports out of the box:

Twitter, Friendfeed, (in addition to Goodle and Facebook)

So I guess the best strategy would be to integrate this functionality into weba.

What additional functionality do you think is needed?

[jcrubino]

json webtokens https://github.com/GetBlimp/django-rest-framework-jwt

On Tue, Jan 28, 2014 at 2:15 AM, Ariel Keselman notifications@github.comwrote:

Sorry, I was looking at an old version of Tornado (v2.0) in the latest version (v3.2) it does support Python3:

http://www.tornadoweb.org/en/stable/auth.html?highlight=auth#module-tornado.auth

now it also supports out of the box:

Twitter, Friendfeed, (in addition to Goodle and Facebook)

So I guess the best strategy would be to integrate this functionality into weba.

What additional functionality do you think is needed?

Reply to this email directly or view it on GitHubhttps://github.com/skariel/webalchemy/issues/137#issuecomment-33458564 .