GithubHelp home page GithubHelp logo

beaker-session-jwt's Introduction

A new signed-cookie implementation for Beaker Sessions

Features

  • so much safer than default Pickle serialization
  • serialize with BSON and compress, so more datatypes supported than JSON (optional)
  • multiple keys, so you can rotate them
  • stronger hash algorithm (SHA256)
  • backwards compatible reads/writes with original pickle-based beaker session cookies
  • JWT for signing (although not much else of JWT is implemented)

Install

pip install 'beaker-session-jwt'

Usage

See beaker docs for general implementation. Specify using this class:

from beaker_session_jwt import JWTCookieSession

app = SessionMiddleware(app, config, session_class=JWTCookieSession)

Additional config options

See Beaker docs for main config options, many of which apply to this class too.

  • jwt_secret_keys required. One or more comma-separated keys
    • generate a key with python -c 'import secrets; print(secrets.token_hex());'
    • multiple signing keys are supported, so you can rotate them. The first one in the list will be used for writing, the rest will be permitted for verifying.
  • bson_compress_jwt_payload default True
    • serializing with BSON and compressing with zlib, to allow for types like datetime, bytes, etc to be stored which JSON cannot store. This is stored all in a single JWT field, so JWT is hardly being used, just for signatures really
  • read_original_format default False
    • set to true to read original beaker signed cookies. Allows for backward compatibility and transition periods
    • after a transition period, make sure to set this back to False
  • original_format_validate_key required if read_original_format
  • original_format_data_serializer
  • original_format_remove_keys optional comma-separated list
    • if your old sessions have values that pickle supported, but don't work any more, list the session keys here. They will be removed but the rest of the session will be preserved.
  • write_original_format default False
    • set to true if you have many servers/processes and need to roll this out gradually. Then later set to False when all processes are ready.

Non-Features

  • no encrypted cookies (could be possible with JWT though)
  • JWT payload/claim fields (iss, sub, exp, etc) are not used or verified. Instead, this uses the fields that a beaker CookieSession has, for maximum backwards compatibility and simplicity.
  • pymongo/bson is always required even with bson_compress_jwt_payload=False

License

Apache License

beaker-session-jwt's People

Contributors

brondsem avatar

Watchers

avatar avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.