Page MenuHome

Clean up authentication system
Open, NormalPublic


The current authentication system is a big pile of microwave spaghetti (not to be confused with delicious spaghetti) and should be cleaned up.

  • Stop calling authentication tokens 'id'. For example, currently session['user_id'] is an authentication token.
  • Stop putting secret information in the session. The aforementioned session['user_id'] is sent as-is to the web browser. This is like sending a password back and forth all the time.
  • Have one module that handles authentication, and one place to store the authentication information once someone is logged in succesfully.
  • Either accept a Authorization header or do a CSRF check, but don't do both.
  • Create one way to load the user from the database in the authentication system. Currently a UserClass instance can be created empty with only an authentication token, or filled with information from the database. It's unclear which one is used in which situation.


To Do

Event Timeline

Sybren A. Stüvel (sybren) lowered the priority of this task from Needs Triage by Developer to Normal.Aug 31 2018, 2:52 PM
Sybren A. Stüvel (sybren) created this task.