Skip to content

Commit

Permalink
Replace OpenSSL with urandom (#71)
Browse files Browse the repository at this point in the history
* Add missing steps of setup to docs (#48)

* add missing steps of setup to docs

* docs: fix broken numbered list and broken internal link

* Add missing closing brace in docs (#51) (#53)

* Add context to UserSerializer (#56)

* Add missing URL name in docs (#61)

* Add missing closing brace in docs (#51)

* Minor release (#57)

* Add missing steps of setup to docs (#48)

* add missing steps of setup to docs

* docs: fix broken numbered list and broken internal link

* Add missing closing brace in docs (#51) (#53)

* Add context to UserSerializer (#56)

* Add missing URL name in docs

* Fix SyntaxError in settings example in documentation (#65)

* Develop (#62)

* Add missing steps of setup to docs (#48)

* add missing steps of setup to docs

* docs: fix broken numbered list and broken internal link

* Add missing closing brace in docs (#51) (#53)

* Add context to UserSerializer (#56)

* Add missing URL name in docs (#61)

* Add missing closing brace in docs (#51)

* Minor release (#57)

* Add missing steps of setup to docs (#48)

* add missing steps of setup to docs

* docs: fix broken numbered list and broken internal link

* Add missing closing brace in docs (#51) (#53)

* Add context to UserSerializer (#56)

* Add missing URL name in docs

* Fix SyntaxError in settings example in documentation

There seems to be a small syntax error with the settings example where the documentation recommends assigning to a literal string. This commit just removes the quotes to make it a variable name.

* Remove reference re not using urandom from readme (#70)

* Develop (#62)

* Add missing steps of setup to docs (#48)

* add missing steps of setup to docs

* docs: fix broken numbered list and broken internal link

* Add missing closing brace in docs (#51) (#53)

* Add context to UserSerializer (#56)

* Add missing URL name in docs (#61)

* Add missing closing brace in docs (#51)

* Minor release (#57)

* Add missing steps of setup to docs (#48)

* add missing steps of setup to docs

* docs: fix broken numbered list and broken internal link

* Add missing closing brace in docs (#51) (#53)

* Add context to UserSerializer (#56)

* Add missing URL name in docs

* Develop (#66)

* Add missing steps of setup to docs (#48)

* add missing steps of setup to docs

* docs: fix broken numbered list and broken internal link

* Add missing closing brace in docs (#51) (#53)

* Add context to UserSerializer (#56)

* Add missing URL name in docs (#61)

* Add missing closing brace in docs (#51)

* Minor release (#57)

* Add missing steps of setup to docs (#48)

* add missing steps of setup to docs

* docs: fix broken numbered list and broken internal link

* Add missing closing brace in docs (#51) (#53)

* Add context to UserSerializer (#56)

* Add missing URL name in docs

* Fix SyntaxError in settings example in documentation (#65)

* Develop (#62)

* Add missing steps of setup to docs (#48)

* add missing steps of setup to docs

* docs: fix broken numbered list and broken internal link

* Add missing closing brace in docs (#51) (#53)

* Add context to UserSerializer (#56)

* Add missing URL name in docs (#61)

* Add missing closing brace in docs (#51)

* Minor release (#57)

* Add missing steps of setup to docs (#48)

* add missing steps of setup to docs

* docs: fix broken numbered list and broken internal link

* Add missing closing brace in docs (#51) (#53)

* Add context to UserSerializer (#56)

* Add missing URL name in docs

* Fix SyntaxError in settings example in documentation

There seems to be a small syntax error with the settings example where the documentation recommends assigning to a literal string. This commit just removes the quotes to make it a variable name.

* Use os.urandom instead of OpenSSL.rand.bytes

Follows suggestion in pyOpenSSL changelog https://github.com/pyca/pyopenssl/blob/1eac0e8f9b3829c5401151fabb3f78453ad772a4/CHANGELOG.rst#backward-incompatible-changes-1

* Remove reference re not using urandom

we now do use urandom as pyOpenSSL itself, see https://pyopenssl.org/en/stable/changelog.html#id9

* Remove reference re not using urandom from docs

* Remove openssl (#72)

* remove all regarding dependancy on openssl

* update changelogs and pypi version

* actually still relying on the library elsewhere
  • Loading branch information
belugame authored Sep 21, 2017
1 parent 7d90c8c commit 9b9e36a
Show file tree
Hide file tree
Showing 5 changed files with 30 additions and 12 deletions.
17 changes: 17 additions & 0 deletions CHANGELOG.rst
Original file line number Diff line number Diff line change
@@ -1,3 +1,20 @@
######
3.0.3
######
- drop using OpenSSL in favor of urandom

######
3.0.2
######
- Add context to UserSerializer
- improve docs

######
3.0.1
######
- improved docs and readme
- login response better supporting hyperlinked fields

######
3.0.0
######
Expand Down
7 changes: 1 addition & 6 deletions README.rst
Original file line number Diff line number Diff line change
Expand Up @@ -14,12 +14,7 @@ extra effort; and to ensure that connections remain secure.
Knox authentication is token based, similar to the
``TokenAuthentication`` built in to DRF. However, it overcomes some
problems present in the default implementation:

- DRF Tokens are generated with ``os.urandom``, which is not
cryptographically secure.

Knox uses OpenSSL to provide tokens.


- DRF tokens are limited to one per user. This does not facilitate
securely signing in from multiple devices, as the token is shared. It
also requires *all* devices to be logged out if a server-side logout
Expand Down
11 changes: 11 additions & 0 deletions docs/changes.md
Original file line number Diff line number Diff line change
@@ -1,5 +1,16 @@
#Changelog

## 3.0.3
- drop using OpenSSL in favor of urandom

## 3.0.2
- Add context to UserSerializer
- improve docs

## 3.0.1
- improved docs and readme
- login response better supporting hyperlinked fields

## 3.0.0
**Please be aware: updating to this version requires applying a database migration. All clients will need to reauthenticate.**

Expand Down
5 changes: 0 additions & 5 deletions docs/index.md
Original file line number Diff line number Diff line change
Expand Up @@ -6,11 +6,6 @@ with little extra effort; and to ensure that connections remain secure.
Knox authentication is token based, similar to the `TokenAuthentication` built
in to DRF. However, it overcomes some problems present in the default implementation:

- DRF Tokens are generated with `os.urandom`, which is not cryptographically
secure.

Knox uses OpenSSL to provide tokens.

- DRF tokens are limited to one per user. This does not facilitate securely
signing in from multiple devices, as the token is shared. It also requires
*all* devices to be logged out if a server-side logout is required (i.e. the
Expand Down
2 changes: 1 addition & 1 deletion setup.py
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,7 @@
# Versions should comply with PEP440. For a discussion on single-sourcing
# the version across setup.py and the project code, see
# https://packaging.python.org/en/latest/single_source_version.html
version='3.0.0',
version='3.0.3',

description='Authentication for django rest framework',
long_description=long_description,
Expand Down

0 comments on commit 9b9e36a

Please sign in to comment.