From 9b9e36a65fd1e77e8a4afa187f856946f88cc4a4 Mon Sep 17 00:00:00 2001 From: belugame Date: Thu, 21 Sep 2017 17:17:31 +0200 Subject: [PATCH] Replace OpenSSL with urandom (#71) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * Add missing steps of setup to docs (#48) * add missing steps of setup to docs * docs: fix broken numbered list and broken internal link * Add missing closing brace in docs (#51) (#53) * Add context to UserSerializer (#56) * Add missing URL name in docs (#61) * Add missing closing brace in docs (#51) * Minor release (#57) * Add missing steps of setup to docs (#48) * add missing steps of setup to docs * docs: fix broken numbered list and broken internal link * Add missing closing brace in docs (#51) (#53) * Add context to UserSerializer (#56) * Add missing URL name in docs * Fix SyntaxError in settings example in documentation (#65) * Develop (#62) * Add missing steps of setup to docs (#48) * add missing steps of setup to docs * docs: fix broken numbered list and broken internal link * Add missing closing brace in docs (#51) (#53) * Add context to UserSerializer (#56) * Add missing URL name in docs (#61) * Add missing closing brace in docs (#51) * Minor release (#57) * Add missing steps of setup to docs (#48) * add missing steps of setup to docs * docs: fix broken numbered list and broken internal link * Add missing closing brace in docs (#51) (#53) * Add context to UserSerializer (#56) * Add missing URL name in docs * Fix SyntaxError in settings example in documentation There seems to be a small syntax error with the settings example where the documentation recommends assigning to a literal string. This commit just removes the quotes to make it a variable name. * Remove reference re not using urandom from readme (#70) * Develop (#62) * Add missing steps of setup to docs (#48) * add missing steps of setup to docs * docs: fix broken numbered list and broken internal link * Add missing closing brace in docs (#51) (#53) * Add context to UserSerializer (#56) * Add missing URL name in docs (#61) * Add missing closing brace in docs (#51) * Minor release (#57) * Add missing steps of setup to docs (#48) * add missing steps of setup to docs * docs: fix broken numbered list and broken internal link * Add missing closing brace in docs (#51) (#53) * Add context to UserSerializer (#56) * Add missing URL name in docs * Develop (#66) * Add missing steps of setup to docs (#48) * add missing steps of setup to docs * docs: fix broken numbered list and broken internal link * Add missing closing brace in docs (#51) (#53) * Add context to UserSerializer (#56) * Add missing URL name in docs (#61) * Add missing closing brace in docs (#51) * Minor release (#57) * Add missing steps of setup to docs (#48) * add missing steps of setup to docs * docs: fix broken numbered list and broken internal link * Add missing closing brace in docs (#51) (#53) * Add context to UserSerializer (#56) * Add missing URL name in docs * Fix SyntaxError in settings example in documentation (#65) * Develop (#62) * Add missing steps of setup to docs (#48) * add missing steps of setup to docs * docs: fix broken numbered list and broken internal link * Add missing closing brace in docs (#51) (#53) * Add context to UserSerializer (#56) * Add missing URL name in docs (#61) * Add missing closing brace in docs (#51) * Minor release (#57) * Add missing steps of setup to docs (#48) * add missing steps of setup to docs * docs: fix broken numbered list and broken internal link * Add missing closing brace in docs (#51) (#53) * Add context to UserSerializer (#56) * Add missing URL name in docs * Fix SyntaxError in settings example in documentation There seems to be a small syntax error with the settings example where the documentation recommends assigning to a literal string. This commit just removes the quotes to make it a variable name. * Use os.urandom instead of OpenSSL.rand.bytes Follows suggestion in pyOpenSSL changelog https://github.com/pyca/pyopenssl/blob/1eac0e8f9b3829c5401151fabb3f78453ad772a4/CHANGELOG.rst#backward-incompatible-changes-1 * Remove reference re not using urandom we now do use urandom as pyOpenSSL itself, see https://pyopenssl.org/en/stable/changelog.html#id9 * Remove reference re not using urandom from docs * Remove openssl (#72) * remove all regarding dependancy on openssl * update changelogs and pypi version * actually still relying on the library elsewhere --- CHANGELOG.rst | 17 +++++++++++++++++ README.rst | 7 +------ docs/changes.md | 11 +++++++++++ docs/index.md | 5 ----- setup.py | 2 +- 5 files changed, 30 insertions(+), 12 deletions(-) diff --git a/CHANGELOG.rst b/CHANGELOG.rst index 36836165..5be1fcb7 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -1,3 +1,20 @@ +###### +3.0.3 +###### +- drop using OpenSSL in favor of urandom + +###### +3.0.2 +###### +- Add context to UserSerializer +- improve docs + +###### +3.0.1 +###### +- improved docs and readme +- login response better supporting hyperlinked fields + ###### 3.0.0 ###### diff --git a/README.rst b/README.rst index c083a643..4ec83af3 100644 --- a/README.rst +++ b/README.rst @@ -14,12 +14,7 @@ extra effort; and to ensure that connections remain secure. Knox authentication is token based, similar to the ``TokenAuthentication`` built in to DRF. However, it overcomes some problems present in the default implementation: - -- DRF Tokens are generated with ``os.urandom``, which is not - cryptographically secure. - - Knox uses OpenSSL to provide tokens. - + - DRF tokens are limited to one per user. This does not facilitate securely signing in from multiple devices, as the token is shared. It also requires *all* devices to be logged out if a server-side logout diff --git a/docs/changes.md b/docs/changes.md index f9da74b0..cbcee3bf 100644 --- a/docs/changes.md +++ b/docs/changes.md @@ -1,5 +1,16 @@ #Changelog +## 3.0.3 +- drop using OpenSSL in favor of urandom + +## 3.0.2 +- Add context to UserSerializer +- improve docs + +## 3.0.1 +- improved docs and readme +- login response better supporting hyperlinked fields + ## 3.0.0 **Please be aware: updating to this version requires applying a database migration. All clients will need to reauthenticate.** diff --git a/docs/index.md b/docs/index.md index 7e4ee4f8..124d25bb 100644 --- a/docs/index.md +++ b/docs/index.md @@ -6,11 +6,6 @@ with little extra effort; and to ensure that connections remain secure. Knox authentication is token based, similar to the `TokenAuthentication` built in to DRF. However, it overcomes some problems present in the default implementation: -- DRF Tokens are generated with `os.urandom`, which is not cryptographically - secure. - - Knox uses OpenSSL to provide tokens. - - DRF tokens are limited to one per user. This does not facilitate securely signing in from multiple devices, as the token is shared. It also requires *all* devices to be logged out if a server-side logout is required (i.e. the diff --git a/setup.py b/setup.py index da678486..8795a62a 100644 --- a/setup.py +++ b/setup.py @@ -16,7 +16,7 @@ # Versions should comply with PEP440. For a discussion on single-sourcing # the version across setup.py and the project code, see # https://packaging.python.org/en/latest/single_source_version.html - version='3.0.0', + version='3.0.3', description='Authentication for django rest framework', long_description=long_description,