Lightweight tools for signing and encrypting cookies, urls and stuff. This package isn't really secure, but it is secure enough for most needs.
This package is insecure, but secure enough.
The idea for secure_enough to allow for "autologin cookies" and "instant login" urls for social web applications.
This package is similar to "ItsDangerous", which is now popular but was unknown when this package was first written.
Two important things to note:
- You should not use this module for financial transactions or sensitive info. That would be egregiously silly.
- If you log someone in with this , you should note the login as "insecure" and require them to provide a password to view sensitive data or any 'write' activity.
This package supports the following schemes for encrypting data:
- RSA encryption (really!)
- AES encryption
This package supports the following schemes for signing data:
- No signing ( just serialize )
- HMAC SHA1 signing
- HMAC SHA256 signing
- Request signing, as compatible with Facebook's auth scheme.
The data transformation is as follows :
- serialize ( convert to JSON )
- base64 encode
- ? obfuscate
- ? encrypt
- ? sign
- You can create "configuration objects" that accept a timestamp and return an appropriate secret/encryption key
There is a bit of documentation in: https://github.com/jvanasco/insecure_but_secure_enough/blob/main/insecure_but_secure_enough/__init__.py
The following files give an interactive demo:
Also note that the github source distribution contains tests.
The timebased providers is entirely untested.
- build out the demo and the test suite to support it.
Release history Release notifications | RSS feed
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Hashes for insecure_but_secure_enough-0.1.4.tar.gz