Comments (8)
rmorshea
commented on June 8, 2024
Before going with the database-backed approach, I have one more idea. What if users configured a secret in their settings for Django IDOM that we used to symmetrically encrypt the pickled parameters before including them in the rendered templates. This both protects sensitive information and prevents injection attacks without requiring anything to be stored in the database.
from reactpy-django.
Archmonger
commented on June 8, 2024
We should develop that as an optional feature in an follow-up PR. To do that properly would require additional dependencies.
from reactpy-django.
rmorshea
commented on June 8, 2024
My impression is that it might take more time to figure out how to properly expire these database entries vs adding a setting for a secret and using it to encrypting the parameters using the cryptography library.
from reactpy-django.
Archmonger
commented on June 8, 2024
There is added complexity to cryptography though, mostly related to key rotation (handling/upgrading old keys to new keys without breaking). Additionally, a common issue with django DB encryption libraries is determining a way to do it without breaking AlterField migration operations.
from reactpy-django.
rmorshea
commented on June 8, 2024
It looks like there's an option for key rotation: https://cryptography.io/en/latest/fernet/#cryptography.fernet.MultiFernet
With that said, I'm realizing that implementing an encryption-based solution in a way that's convenient for the user will involve saving these keys in the database and providing utilities to rotate them. This would allow us to make proper key-management and generation our responsibility rather than the user's and doing that would require some care.
Given this, I'm open to going with whatever approach you think will be easiest to complete the fastest.
from reactpy-django.
Archmonger
commented on June 8, 2024
There's a lot to discuss about approach/compatibility/algorithms/etc. And it will require a non-trivial amount of code to accomplish within Django.
IMO encryption support deserves it's own issue/PR.
from reactpy-django.
rmorshea
commented on June 8, 2024
It seems like to complete this then, you'll go with approaches 1 & 3 for expiration?
from reactpy-django.
Archmonger
commented on June 8, 2024
Yeah. Although option 2 is technologically ideal, it does not seem convenient for end-users.
from reactpy-django.
Related Issues (20)
- `use_mutation` and `use_query` are not async HOT 1
- `use_query` has no `refetch` option. HOT 1
- Add rename warning to legacy `django-idom` HOT 4
- `django_router` component HOT 2
- Priority of applications in Django
- Add "HTTP Mode" to ReactPy-Django HOT 1
- Add a cache decorator HOT 1
- Add encryption support to `use_user_data` hook
- Allow `django_css` and `django_js` to load `only_once` HOT 2
- Add offline fallback to component template tags.
- `use_session` hook HOT 1
- Support Jinja2 templates
- Error while using django-tenants package
- Components don't load with `django-tenants`
- `use_root_id` hook
- `login` / `logout` functions HOT 1
- `django-ninja` compatibility docs HOT 1
- Add robust cleanup settings
- Deprecate `QueryOptions` and `MutationOptions` HOT 1
- `css_module` decorator HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from reactpy-django.