Page MenuHome

Clean up authentication system
Open, NormalPublic

Description

The current authentication system is a big pile of microwave spaghetti (not to be confused with delicious spaghetti) and should be cleaned up.

  • Stop calling authentication tokens 'id'. For example, currently session['user_id'] is an authentication token.
  • Stop putting secret information in the session. The aforementioned session['user_id'] is sent as-is to the web browser. This is like sending a password back and forth all the time.
  • Have one module that handles authentication, and one place to store the authentication information once someone is logged in succesfully.
  • Either accept a Authorization header or do a CSRF check, but don't do both.
  • Create one way to load the user from the database in the authentication system. Currently a UserClass instance can be created empty with only an authentication token, or filled with information from the database. It's unclear which one is used in which situation.

Details

Type
To Do

Event Timeline

Sybren A. Stüvel (sybren) triaged this task as Normal priority.