profile
viewpoint
If you are wondering where the data of this site comes from, please visit https://api.github.com/users/johnraz/events. GitMemory does not store any data, but only uses NGINX to cache data for a period of time. The idea behind GitMemory is simply to give users a better reading experience.

James1345/django-rest-knox 648

Authentication Module for django rest auth

incuna/django-wkhtmltopdf 273

Django Wrapper to the PDF Renderer: wkhtmltopdf

johnraz/decimal2time 1

Convert decimal number to time format

johnraz/django-filer 1

File and Image Management Application for django. NOTICE: update to django-filer 0.8.5 for easy-thumbnails >= 1.0-alpha-17 support.

johnraz/django-tastypie-swagger 1

An adapter to use swagger-ui with django-tastypie

johnraz/bakerydemo 0

Next generation Wagtail demo, born in Reykjavik

johnraz/books 0

Our list of recommended books compiled from show notes, members, and fans of the show!

johnraz/chokidar-socket-emitter 0

a simple chokidar watcher which emits events to all connected socket.io clients

johnraz/cmsplugin-contact 0

Extendable contact plugin for django-cms with spam protection and i18n

johnraz/cmsplugin-footnote 0

A simple plugin allowing to add footnotes in django CMS.

push eventplumvillage/plumvillage

Maarten Hunink

commit sha 434661aaf6bebf3dd45fac5e015cfa451ff54928

add registration open label

view details

push time in 3 hours

pull request commentJames1345/django-rest-knox

Use six directly in order to work with django 3.x

Are there any updates on this issue?

scarabeusiv

comment created time in 10 hours

fork paulirish/pledgejs

pledge.js shows how much you have been contributing to shared documents

https://pledgejs.appspot.com

fork in 13 hours

startedeait-itig/flow-collector

started time in a day

startedjart/cosmopolitan

started time in a day

push eventplumvillage/plumvillage

Maarten Hunink

commit sha 46e3c219dac83d00e7f75fec8a135f92d0fb55c9

make library video items more beautiful

view details

push time in 2 days

push eventplumvillage/plumvillage

Maarten Hunink

commit sha 1fb679545ff67a37fee04894978c6accf218e2fd

hide side menu if only one item

view details

push time in 2 days

push eventplumvillage/plumvillage

Maarten Hunink

commit sha 75bcd526e20056324216fc6621e8a99bd4cebe3d

show video on library detail view

view details

push time in 2 days

startedIvan-Feofanov/ws-audio-api

started time in 7 days

startedjoeyespo/grip

started time in 8 days

startedrameshvarun/netplayjs

started time in 8 days

startedmafintosh/noise-secret-stream

started time in 8 days

startedQVDev/distributed-talker

started time in 9 days

startedmganeko/browser_mcu_core

started time in 10 days

startedjojobyte/gunsight

started time in 10 days

issue commentJames1345/django-rest-knox

token_key isn't needed if salt is gone and hashing function is secure

The digest is the primary key, so it should be indexed in virtually every DB, usually with a clustered index.

jonathan-golorry

comment created time in 11 days

issue commentJames1345/django-rest-knox

token_key isn't needed if salt is gone and hashing function is secure

shouldn't matter for denial of service attacks because a DB call is being made either way.

The token is used as database index. If there is no equivalent replacement for the index, your change will cause performance problems.

jonathan-golorry

comment created time in 11 days

push eventplumvillage/plumvillage

Maarten Hunink

commit sha 9cccf17cabb7b5eebd51aa60d5f4163bf2b8c901

optional subtitle

view details

push time in 12 days

startedQXIP/terraform-homer

started time in 12 days

created repositoryojii/aiohttp-session-httpfound-issue

created time in 12 days

PR opened James1345/django-rest-knox

removed token_key from AuthToken

See issue #245

+38 -46

0 comment

5 changed files

pr created time in 15 days

issue commentJames1345/django-rest-knox

How to get the auth token?

Is there a way to get this token from the model object

No. Only a prefix and hash (and previously salt) are stored in the db. The whole point is that an attacker will be unable to calculate the token even if they get a copy of the DB.

so that I can use a non-expiring token for my client facing API keys?

You can configure knox for non-expiring tokens.

REST_KNOX = {
    "TOKEN_TTL": None,
}
steverecio

comment created time in 15 days

issue commentJames1345/django-rest-knox

Migrating from rest_framework.TokenAuthentication without logging users out

Something like this would work:

from django.db import migrations
from knox import crypto
from knox.settings import CONSTANTS


def convert_tokens(apps, schema_editor):
    Token = apps.get_model("authtoken", "token")
    AuthToken = apps.get_model("knox", "authtoken")
    db_alias = schema_editor.connection.alias

    for token in Token.objects.using(db_alias).all():
        digest = crypto.hash_token(token.key)
        # bypass custom manager
        AuthToken.objects.using(db_alias).bulk_create(
            [
                AuthToken(
                    digest=digest,
                    token_key=token.key[: CONSTANTS.TOKEN_KEY_LENGTH],
                    user_id=token.user_id,
                    expiry=None,  # or whatever logic you want
                )
            ]
        )
        # bypass auto_now_add restriction
        AuthToken.objects.using(db_alias).filter(digest=digest).update(
            created=token.created
        )

    Token.objects.using(db_alias).all().delete()


class Migration(migrations.Migration):

    dependencies = [
        ("knox", "0008_remove_authtoken_salt"),
    ]

    operations = [migrations.RunPython(convert_tokens)]

(keep in mind this is for the latest unreleased version of knox where the salt has been removed from AuthToken)

Remove "rest_framework.authentication.TokenAuthentication" from your views and default authentication, but keep both "rest_framework.authtoken" and "knox" in INSTALLED_APPS until the migration has run everywhere.

oaosman84

comment created time in 15 days

issue openedJames1345/django-rest-knox

token_key isn't needed if salt is gone and hashing function is secure

We could remove token_key and directly filter the DB by digest during authentication.

With the salt gone, I think there are only 2 reasons to search the DB by token_key before matching digests.

  1. If there isn't a matching token_key, the webserver avoids calculating the digest.
  2. hmac.compare_digest prevents timing attacks being used to calculate the digest. Timing attacks can calculate the token_key, but not the digest.

1 shouldn't matter for denial of service attacks because a DB call is being made either way. Webservers can scale until the hash is no longer the limiting factor. Or an attacker could find a token_key that exists in the db and start forcing a hash (or potentially multiple, with the current implementation) for each request.

2 shouldn't matter because it would require a near-fully-reversed hashing function just to calculate the tokens needed to continue the timing attack. To calculate the 20th character of the hash, they'd need to calculate 16 different tokens with the same 19-character start to the hash. And once they finally calculated the token's hash, they'd need to reverse that to get a token that could actually be used for authentication.

created time in 15 days

startedhypercore-protocol/hyperspace-client

started time in 15 days

startedfsteff/hyperpubsub

started time in 15 days

startedsocketio/socket.io-adapter

started time in 15 days

startedLog1x/acf-composer

started time in 18 days