Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Auth, Sessions, Permissions #137

Open
jcrubino opened this issue Jan 27, 2014 · 4 comments
Open

Auth, Sessions, Permissions #137

jcrubino opened this issue Jan 27, 2014 · 4 comments
Assignees

Comments

@jcrubino
Copy link

Any clear ideas on how this is best implemented with WebAlch?

@skariel
Copy link
Owner

skariel commented Jan 27, 2014

let me tell you what is the current situation:

In chronological order-

  • the browser receives an almost empty page from the server with instructions to connect to the websocket server.
  • when the browser connects to the websocket server for the very first time, it receives a session id
  • this session id is stored in a cookie for 3 days (no configuration for this yet)
  • when the browser connect for a second time, it tells the webserver it's current session id
  • each handler in the server gets a data-structure which belongs to the browser session id.
  • these structures are persistent between re-connections of the browser
  • in the default version (developers can redefine them) these data-structures are not persisted to disk
  • the developer can persist them to disk or wire up mongo or redis, or whatever (I'm not sure how much work it would take)
  • the data structures can hold user name, passwords, etc.
  • In addition there's a "tab-session" for volatile data like what field is focused in the page.
  • The above session is implemented by saving a tab-id into the window object

Other than that there is https, wss which are secure for password transfers,

I suggest to look at what flask did and learn from them...

@ghost ghost assigned skariel Jan 27, 2014
@skariel
Copy link
Owner

skariel commented Jan 28, 2014

Just noticed that Tornado already has some support for OAuth, and some default implementatiojns for Google and Facebook:

http://www.tornadoweb.org/en/branch2.0/auth.html

On the downside, it is not yet supported by Python3. So maybe the best steps are to help port it and then integrate into Weba.

@skariel
Copy link
Owner

skariel commented Jan 28, 2014

Sorry, I was looking at an old version of Tornado (v2.0) in the latest version (v3.2) it does support Python3:

http://www.tornadoweb.org/en/stable/auth.html?highlight=auth#module-tornado.auth

now it also supports out of the box:

Twitter, Friendfeed, (in addition to Goodle and Facebook)

So I guess the best strategy would be to integrate this functionality into weba.

What additional functionality do you think is needed?

@jcrubino
Copy link
Author

json webtokens
https://github.com/GetBlimp/django-rest-framework-jwt

On Tue, Jan 28, 2014 at 2:15 AM, Ariel Keselman [email protected]:

Sorry, I was looking at an old version of Tornado (v2.0) in the latest
version (v3.2) it does support Python3:

http://www.tornadoweb.org/en/stable/auth.html?highlight=auth#module-tornado.auth

now it also supports out of the box:

Twitter, Friendfeed, (in addition to Goodle and Facebook)

So I guess the best strategy would be to integrate this functionality into
weba.

What additional functionality do you think is needed?

Reply to this email directly or view it on GitHubhttps://github.com//issues/137#issuecomment-33458564
.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

2 participants