From d7df42ae13a2a9bfb73a76ed96997dad88a794a9 Mon Sep 17 00:00:00 2001
From: David Tulloh <git-david@tulloh.id.au>
Date: Tue, 31 May 2016 18:24:05 +0200
Subject: [PATCH] Document the new digest_algo parameter
---
docs/configuration.rst | 3 ++-
docs/plugins.rst | 10 +++++++++-
docs/examples/standalone_login.py | 1 +
docs/examples/standalone_login_no_who.py | 3 ++-
docs/examples/hybrid/example.py | 2 +-
5 files changed, 15 insertions(+), 4 deletions(-)
diff --git a/docs/configuration.rst b/docs/configuration.rst
index 9400191..68cd9f9 100644
--- a/docs/configuration.rst
+++ b/docs/configuration.rst
@@ -103,7 +103,7 @@
return password == hashed
htpasswd = HTPasswdPlugin(io, cleartext_check)
basicauth = BasicAuthPlugin('repoze.who')
- auth_tkt = AuthTktCookiePlugin('secret', 'auth_tkt')
+ auth_tkt = AuthTktCookiePlugin('secret', 'auth_tkt', digest_algo="sha512")
redirector = RedirectorPlugin('/login.html')
redirector.classifications = {IChallenger:['browser'],} # only for browser
identifiers = [('auth_tkt', auth_tkt),
@@ -220,6 +220,7 @@
cookie_name = oatmeal
secure = False
include_ip = False
+ digest_algo = sha512
[plugin:basicauth]
# identification and challenge
diff --git a/docs/examples/hybrid/example.py b/docs/examples/hybrid/example.py
index 720a8ff..4ce4fcf 100644
--- a/docs/examples/hybrid/example.py
+++ b/docs/examples/hybrid/example.py
@@ -183,7 +183,7 @@
## other plugins
basicauth = BasicAuthPlugin('repoze.who')
- auth_tkt = AuthTktCookiePlugin('secret', 'auth_tkt')
+ auth_tkt = AuthTktCookiePlugin('secret', 'auth_tkt', digest_algo="sha512")
redirector = RedirectorPlugin(login_url='/login.html')
redirector.classifications = {IChallenger:['browser'] } # only for browser
diff --git a/docs/examples/standalone_login.py b/docs/examples/standalone_login.py
index 37283ff..bfb07fd 100644
--- a/docs/examples/standalone_login.py
+++ b/docs/examples/standalone_login.py
@@ -44,6 +44,7 @@
cookie_name = auth_cookie
secure = True
include_ip = True
+digest_algo = sha512
[general]
request_classifier = repoze.who.classifiers:default_request_classifier
diff --git a/docs/examples/standalone_login_no_who.py b/docs/examples/standalone_login_no_who.py
index 7d750e9..48defd4 100644
--- a/docs/examples/standalone_login_no_who.py
+++ b/docs/examples/standalone_login_no_who.py
@@ -75,7 +75,8 @@
if _validate(login_name, password):
headers = [('Location', came_from)]
ticket = auth_tkt.AuthTicket(SECRET, login_name, remote_addr,
- cookie_name=COOKIE_NAME, secure=True)
+ cookie_name=COOKIE_NAME, secure=True,
+ digest_algo="sha512")
headers = _get_cookies(environ, ticket.cookie_value())
headers.append(('Location', came_from))
start_response('302 Found', headers)
diff --git a/docs/plugins.rst b/docs/plugins.rst
index 21c0b33..2eb7996 100644
--- a/docs/plugins.rst
+++ b/docs/plugins.rst
@@ -69,7 +69,8 @@
An :class:`AuthTktCookiePlugin` is an ``IIdentifier`` and ``IAuthenticator``
plugin which remembers its identity state in a client-side cookie.
- This plugin uses the ``paste.auth.auth_tkt``"auth ticket" protocol.
+ This plugin uses the ``paste.auth.auth_tkt``"auth ticket" protocol and
+ is compatible with Apache's mod_auth_tkt.
It should be instantiated passing a *secret*, which is used to encrypt the
cookie on the client side and decrypt the cookie on the server side.
The cookie name used to store the cookie value can be specified
@@ -96,6 +97,13 @@
``urllib.urlencode`` function (``urllib.urlparse.urlencode`` in python 3).
Saving keys/values with unicode characters is supported only under python 3.
+.. note::
+ Plugin supports multiple digest algorithms. It defaults to md5 to match
+ the default for mod_auth_tkt and paste.auth.auth_tkt. However md5 is not
+ recommended as there are viable attacks against the hash. Any algorithm
+ from the hashlib library can be specified, currently only sha256 and sha512
+ are supported by mod_auth_tkt.
+
.. module:: repoze.who.plugins.basicauth
.. class:: BasicAuthPlugin(realm)
--
Gitblit v1.9.3