Skip to main content

Lightweight tools for signing and encrypting cookies, urls and stuff. This package isn't really secure, but it is secure enough for most needs.

Project description

Python package

This package is insecure, but secure enough.

The idea for secure_enough to allow for "autologin cookies" and "instant login" urls for social web applications.

This package is similar to "ItsDangerous", which is now popular but was unknown when this package was first written.

Two important things to note:

  1. You should not use this module for financial transactions or sensitive info. That would be egregiously silly.
  2. If you log someone in with this , you should note the login as "insecure" and require them to provide a password to view sensitive data or any 'write' activity.

This package supports the following schemes for encrypting data:

  1. RSA encryption (really!)
  2. AES encryption

This package supports the following schemes for signing data:

  1. No signing ( just serialize )
  2. HMAC SHA1 signing
  3. HMAC SHA256 signing
  4. Request signing, as compatible with Facebook's auth scheme.

The data transformation is as follows :

  1. serialize ( convert to JSON )
  2. base64 encode
  3. ? obfuscate
  4. ? encrypt
  5. ? sign

UNTESTED

  • You can create "configuration objects" that accept a timestamp and return an appropriate secret/encryption key

===================

There is a bit of documentation in: https://github.com/jvanasco/insecure_but_secure_enough/blob/main/insecure_but_secure_enough/__init__.py

The following files give an interactive demo:

https://github.com/jvanasco/insecure_but_secure_enough/blob/main/demo.py
https://github.com/jvanasco/insecure_but_secure_enough/blob/main/demo_performance.py

Also note that the github source distribution contains tests.

===================

ToDo:

The timebased providers is entirely untested.

  • build out the demo and the test suite to support it.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Files for insecure-but-secure-enough, version 0.1.4
Filename, size File type Python version Upload date Hashes
Filename, size insecure_but_secure_enough-0.1.4.tar.gz (13.6 kB) File type Source Python version None Upload date Hashes View

Supported by

AWS AWS Cloud computing Datadog Datadog Monitoring DigiCert DigiCert EV certificate Facebook / Instagram Facebook / Instagram PSF Sponsor Fastly Fastly CDN Google Google Object Storage and Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Salesforce Salesforce PSF Sponsor Sentry Sentry Error logging StatusPage StatusPage Status page