core.securitykey

This module provides onetime keys. Such a Securitykey can only be used once to authenticate an action like edit an entry. Unless specified otherwise, keys are bound to a session. This prevents such actions from beeing executed without explicit user consent so an attacker can’t send special crafted links (like /user/delete/xxx) to a authenticated user as these links would lack a valid securityKey.

Its also possible to store data along with a securityKey and specify a lifeTime.

Module Contents

Functions

create(duration: Union[(None, int)] = None, **kwargs)

Creates a new onetime Securitykey for the current session

validate(key: str, useSessionKey: bool) → Union[(bool, db.Entity)]

Validates a onetime securitykey

startClearSKeys()

Removes old (expired) skeys

doClearSKeys(timeStamp, cursor)

core.securitykey.securityKeyKindName = viur-securitykeys
core.securitykey.create(duration: Union[None, int] = None, **kwargs)

Creates a new onetime Securitykey for the current session If duration is not set, this key is valid only for the current session. Otherwise, the key and its data is serialized and saved inside the datastore for up to duration-seconds

Parameters

duration (int or None) – Make this key valid for a fixed timeframe (and independend of the current session)

Returns

The new onetime key

core.securitykey.validate(key: str, useSessionKey: bool)Union[bool, db.Entity]

Validates a onetime securitykey

Parameters
  • key (str) – The key to validate

  • useSessionKey (Bool) – If True, we validate against the session’s skey, otherwise we’ll lookup an unbound key

Returns

False if the key was not valid for whatever reasons, the data (given during createSecurityKey) as dictionary or True if the dict is empty.

core.securitykey.startClearSKeys()

Removes old (expired) skeys

core.securitykey.doClearSKeys(timeStamp, cursor)