An identity policy for morepath using itsdangerous.
import morepath
from more.itsdangerous import IdentityPolicy
class App(morepath.App):
pass
@App.identity_policy()
def get_identity_policy():
return IdentityPolicy()
@App.verify_identity()
def verify_identity(identity):
# trust the identity established by the identity policy (we could keep
# checking if the user is really in the database here - or if it was
# removed in the meantime)
return True
See http://morepath.readthedocs.org/en/latest/security.html to learn more about Morepath's security model and and have a look at the commented source code:
https://github.com/morepath/more.itsdangerous/blob/master/more/itsdangerous/identity_policy.py
The IdentityPolicy class is meant to be extended because everyone has differing needs. It simply provides a way to store the identity as a signed cookie, using itsdangerous.
By default, the cookies created by more.itsdangerous are HttpOnly and Secure.
If you have differing needs or if you are running a development server you might have to change the identity policy's configuration:
@App.identity_policy()
def get_identity_policy():
# make the cookies work under http, not just https
return IdentityPolicy(secure=False)
Note that this should only be used in development. In this day and age you do not want to transmit cookies over http!
Install tox and run it:
pip install tox tox
Limit the tests to a specific python version:
tox -e py39
More Itsdangerous follows PEP8 as close as possible. To test for it run:
tox -e pep8
More Itsdangerous uses Semantic Versioning
more.itsdangerous is released under the revised BSD license