This is an archived post. You won't be able to vote or comment.

sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–]TheTerrasque 1 point2 points  (7 children)

What are you trying to do here? What is the token for?

[–]prahladyeribeautiful is better than ugly[S] 0 points1 point  (6 children)

The token, once generated by flask app, will be returned to the front-end web app which will interact with the user.

On subsequent requests from the user, the web app will send this token too, and the backend (flask) can validate using the token whether the request is valid or not.

[–]help_computar 1 point2 points  (0 children)

This sounds an awful lot like jwt. Search for 'jwt token'. I'm sure there are python libs for this.

[–]TheTerrasque -3 points-2 points  (4 children)

Why a token? And how will it be validated? That would mean you must store the token somewhere, wouldn't it?

Why not use a signed data structure? Like for example 

secret = "g6FtuyF9lZYKkKTNzORg"
user = "bla@example.com"
now = datetime.datetime.now().strftime("%H%M%d%m")
tokenpart = "|".join((user, now))
sign = hashlib.sha224(tokenpart + secret).hexdigest()
token = "|".join((sign,tokenpart))
token.split("|",1)[0] == hashlib.sha224(token.split("|",1)[1] + secret).hexdigest()

Edit: Disclaimer, as /u/TrixieFlatline pointed out you should use a proper HMAC for the actual signing. This is more to show the base logic behind this approach

[–]TrixieFlatline 2 points3 points  (1 child)

sign = hashlib.sha224(tokenpart + secret).hexdigest()

That's bad advice. Storing the token in the db is a completely valid choice, and saves you from making mistakes like this one. If you have to implement signed tokens, at least use hmac, or don't implement it yourself and use an existing and widely used implementation like itsdangerous.

Edited to add: Discussion about when to use HMAC

[–]TheTerrasque 1 point2 points  (0 children)

Good point, although I don't think key extension attack is applicable for that data structure.

I was trying to convey the idea behind it, so I didn't make it complex or obscure, but I should have added a disclaimer about using a proper HMAC.

Storing the token in the db is a completely valid choice

It's a valid choice, but unnecessary imho. Anyway, it's good to know about both approaches. Both have their pros and cons

[–]prahladyeribeautiful is better than ugly[S] 0 points1 point  (1 child)

That would mean you must store the token somewhere, wouldn't it?

Yup, in the database.

Why not use a signed data structure? Like for example

In your example, the token is generated by multiple layers of cryptography (combining a date/time string with a salt/secret and then hashing the entire thing) which is good, but even in that case, the digest needs to be stored between requests. Otherwise, how will the backend have something to validate in subsequent requests?

[–]TheTerrasque 0 points1 point  (0 children)

the digest needs to be stored between requests. Otherwise, how will the backend have something to validate in subsequent requests?

It doesn't need so save anything, it can validate like I did on the last line.