1. 23 Sep, 2020 1 commit
  2. 21 Sep, 2020 1 commit
  3. 17 Sep, 2020 1 commit
  4. 07 Aug, 2020 10 commits
  5. 15 Nov, 2019 1 commit
  6. 27 Sep, 2019 2 commits
  7. 25 Jun, 2019 1 commit
    • Laurent Wouters's avatar
      Support alternative to Date header · f90a9c36135c
      Laurent Wouters authored
      The current protocol for signed request requires the use of the Date HTTP
      header. Although this works fine for clients that have full control over the
      HTTP headers they send, this is not working in the context of web browser where
      the Date HTTP headers are forbidden to be programmatically set (and therefore
      used in any meaningful way)
      In general, this change enables the specification of a prioritized list of
      alternative for headers. In particular for the Date header, this change
      specifies a the list ['X-Cubicweb-Date', 'Date'] as an alternative to the Date
      header; meaning that when looking for the Date header, one should first look
      at the X-Cubicweb-Date header, and then if not present at the Date header. Doing
      so, it should be possible to emit signed requests from the context of a browser
      by specifying a X-Cubicweb-Date header, overriding the Date header that the
      browser may or may not set by itself.
  8. 06 Mar, 2019 1 commit
  9. 05 Mar, 2019 2 commits
  10. 21 Dec, 2018 2 commits
  11. 18 Dec, 2018 2 commits
  12. 14 Dec, 2018 2 commits
    • Philippe Pepiot's avatar
      Allow requests in the past during 300 seconds · 45e266e4c652
      Philippe Pepiot authored
      We already allow requests in the future for 300 seconds, why not in the past too ?
      This avoid a AuthenticationError() when client live in the past for a few seconds.
      Requests can now be replayed during 5 minutes in case of MITM but this is
      already the case when the client live in the future or server in the past.
      In this particular case I think it's ok to trade a bit of security against a
      lot of reliability.
    • Philippe Pepiot's avatar
      Log authentication failures with logging.ERROR · 9d4d7b1beff0
      Philippe Pepiot authored
      Date issues can occur, we want to log them.
      We usually send logs >= ERROR to sentry, so using logging.error() here allow to
      send such errors to sentry.
  13. 11 Jun, 2018 2 commits
  14. 01 Jun, 2018 7 commits
  15. 31 May, 2018 2 commits
  16. 12 Feb, 2018 2 commits
  17. 02 Feb, 2018 1 commit