peopledoc / django-ticketoffice Goto Github PK

One-shot authentication utilities for Django

License: Other

Python 96.44% Makefile 2.98% HTML 0.57%

django-ticketoffice's Introduction

django-ticketoffice

django-ticketoffice provides one-shot authentication (a.k.a. temporary credentials) utilities for Django. It lets you create and manage tickets that allow users to perform one action on the website. As an example, Django could use it for the "password reset" action, where users authenticate using a temporary token.

Example

Restrict some URL to guests with valid invitation tickets:

from django.conf.urls import patterns, url
from django_ticketoffice.decorators import invitation_required, stamp_invitation

@invitation_required(place='louvre', purpose='visit')
@stamp_invitation  # Mark invitation as used right **after** view execution.
def visit_louvre(request):
    ticket = request.cache['invitation']  # Set by `invitation_required`.
    return 'Welcome to the Louvre museum {guest}'.format(
        guest=ticket.data['first_name'])

urlpatterns = patterns('', url('^louvre$', visit_louvre, name='louvre'))

Create and deliver tickets for this resource:

from django.utils.timezone import now
from django_ticketoffice.models import Ticket

ticket = Ticket(place='louvre', purpose='visit')
ticket.set_password('I love Paris')  # Encrypted in database.
ticket.expiry_datetime = now() + timedelta(days=5)  # Optional.
ticket.data = {'first_name': 'Léonard'}  # Optional.
ticket.save()

credentials = {'uuid': ticket.uuid, 'password': 'I love Paris'}
visit_url = reverse('louvre') + '?' + urlencode(credentials)

django-ticketoffice focuses on authentication. It does not send invitation emails. You may check django-mail-factory about sending emails.

Project status

django-ticketoffice is, at the moment, a proof-of-concept: it delivers basic features in order to create tickets and to use them in views. It works (you can use it), but it may lack some features (ideas are welcome), and it may change (improve) quite a bit. That said, maintainers will take care of release notes and migrations.

See also vision, roadmap and alternatives to get a better overview of project status.

Resources

Documentation: https://django-ticketoffice.readthedocs.org
PyPI page: http://pypi.python.org/pypi/django-ticketoffice
Code repository: https://github.com/peopledoc/django-ticketoffice
Bugtracker: https://github.com/peopledoc/django-ticketoffice/issues
Continuous integration: https://travis-ci.org/peopledoc/django-ticketoffice
Roadmap: https://github.com/peopledoc/django-ticketoffice/issues/milestones

django-ticketoffice's People

Contributors

Stargazers

Watchers

django-ticketoffice's Issues

Documentation does not build on readthedocs.org

invitation_required decorator does not support UUID with dashes

Something like this should do the trick...

diff --git a/django_ticketoffice/decorators.py b/django_ticketoffice/decorators.py
index 225a1fb..50abfb0 100644
--- a/django_ticketoffice/decorators.py
+++ b/django_ticketoffice/decorators.py
@@ -68,7 +68,10 @@ def invitation_required(place=u'', purpose=u'',
                 invitation_uuid = request.session['invitation']
             except KeyError:  # No invitation in session, check credentials.
                 if request.GET:
-                    form = TicketAuthenticationForm(data=request.GET,
+                    data = request.GET.dict()
+                    if '-' in data['uuid']:
+                        data['uuid'] = data['uuid'].replace('-', '')
+                    form = TicketAuthenticationForm(data=data,
                                                     place=place,
                                                     purpose=purpose)
                     if form.is_valid():

class-based invitation_required decorator is easy to override

Currently, invitation_required decorator accepts some views as arguments: forbidden, unauthorized and login.

Should be:

invitation_required is a class-based decorator (see http://tech.novapost.fr/python-class-based-decorators-en.html as an example)
invitation_required accepts only two arguments: place and purpose
actions to perform when forbidden, unauthorized or login are methods of invitation_required class => they are easy to override them; they have access to decorator's internal context (such as invitation ticket instance).

Add django 1.10 support

Add django 1.9 support

Document similarities/differences with S/Key

https://en.wikipedia.org/wiki/S/Key

Fix TypeError - String Indices Must Be Integers During guest_login()

Tickets have a "max_usage" counter, or "unlimited_usage" boolean

Primary use case is to provide unlimited usage.
Could be implemented with a simple boolean ("unlimited_usage" or something like that).
Could also be implemented with a counter which is decremented each time the ticket is used. A "-1" value would mean "unlimited_usage".

Remove support of django < 1.8

Add django 1.8 support

Use JWT to sign url credentials.

visit_url = reverse('louvre') + '?' + urlencode(credentials)

Default templates do not use floppyforms

Provide a clean but simple default, and let the developer choose its preferred way to render forms. Removes the dependency to floppyforms.

Tox runs tests, Travis runs Tox

Remove buildout configuration.

Add wheels support

http://pythonwheels.com/

Use Kerberos as backend/storage

Use S/Key

TicketAuthenticationForm validates "uuid" field is a valid UUID

django-ticketoffice provides web API to manage ticket

See docs/about/vision.
As software built on top of Django, it should not be over-complicated for django-ticketoffice to provide a web API to manage tickets and authenticate.
Of course, such a feature must be configurable (at least, developers must be able to enable/disable it). Maybe a set of generic views.

If the implementation requires too much dependencies (restframework or things like that), wonder about packaging this feature as a standalone project: when developers just want the "client" features of django-ticketoffice, do they want to download a bunch of server-related dependencies?