Auth, Sessions, Permissions
Opened this issue · 4 comments
Any clear ideas on how this is best implemented with WebAlch?
let me tell you what is the current situation:
In chronological order-
- the browser receives an almost empty page from the server with instructions to connect to the websocket server.
- when the browser connects to the websocket server for the very first time, it receives a session id
- this session id is stored in a cookie for 3 days (no configuration for this yet)
- when the browser connect for a second time, it tells the webserver it's current session id
- each handler in the server gets a data-structure which belongs to the browser session id.
- these structures are persistent between re-connections of the browser
- in the default version (developers can redefine them) these data-structures are not persisted to disk
- the developer can persist them to disk or wire up mongo or redis, or whatever (I'm not sure how much work it would take)
- the data structures can hold user name, passwords, etc.
- In addition there's a "tab-session" for volatile data like what field is focused in the page.
- The above session is implemented by saving a tab-id into the window object
Other than that there is https, wss which are secure for password transfers,
I suggest to look at what flask did and learn from them...
Just noticed that Tornado already has some support for OAuth, and some default implementatiojns for Google and Facebook:
http://www.tornadoweb.org/en/branch2.0/auth.html
On the downside, it is not yet supported by Python3. So maybe the best steps are to help port it and then integrate into Weba.
Sorry, I was looking at an old version of Tornado (v2.0) in the latest version (v3.2) it does support Python3:
http://www.tornadoweb.org/en/stable/auth.html?highlight=auth#module-tornado.auth
now it also supports out of the box:
Twitter, Friendfeed, (in addition to Goodle and Facebook)
So I guess the best strategy would be to integrate this functionality into weba.
What additional functionality do you think is needed?
json webtokens
https://github.com/GetBlimp/django-rest-framework-jwt
On Tue, Jan 28, 2014 at 2:15 AM, Ariel Keselman notifications@github.comwrote:
Sorry, I was looking at an old version of Tornado (v2.0) in the latest
version (v3.2) it does support Python3:http://www.tornadoweb.org/en/stable/auth.html?highlight=auth#module-tornado.auth
now it also supports out of the box:
Twitter, Friendfeed, (in addition to Goodle and Facebook)
So I guess the best strategy would be to integrate this functionality into
weba.What additional functionality do you think is needed?
Reply to this email directly or view it on GitHubhttps://github.com//issues/137#issuecomment-33458564
.