This module provides onetime keys. Such a Securitykey can only be used once to authenticate an action like edit an entry. Unless specified otherwise, keys are bound to a session. This prevents such actions from beeing executed without explicit user consent so an attacker can’t send special crafted links (like /user/delete/xxx) to a authenticated user as these links would lack a valid securityKey.

Its also possible to store data along with a securityKey and specify a lifeTime.

Module Contents


create(duration: Union[(None, int)] = None, **kwargs)

Creates a new onetime Securitykey for the current session

validate(key: str, useSessionKey: bool) → Union[(bool, db.Entity)]

Validates a onetime securitykey


Removes old (expired) skeys

doClearSKeys(timeStamp, cursor)

core.securitykey.securityKeyKindName = viur-securitykeys
core.securitykey.create(duration: Union[None, int] = None, **kwargs)

Creates a new onetime Securitykey for the current session If duration is not set, this key is valid only for the current session. Otherwise, the key and its data is serialized and saved inside the datastore for up to duration-seconds


duration (int or None) – Make this key valid for a fixed timeframe (and independend of the current session)


The new onetime key

core.securitykey.validate(key: str, useSessionKey: bool)Union[bool, db.Entity]

Validates a onetime securitykey

  • key (str) – The key to validate

  • useSessionKey (Bool) – If True, we validate against the session’s skey, otherwise we’ll lookup an unbound key


False if the key was not valid for whatever reasons, the data (given during createSecurityKey) as dictionary or True if the dict is empty.


Removes old (expired) skeys

core.securitykey.doClearSKeys(timeStamp, cursor)