Mike Constabel
Mar 19, 2014, 8:59:38 AM3/19/14
to web...@googlegroups.com
Hi,
in a form i have
If a text is entered, callback is called an some text is displayed in target. This works.
But now I want to sign the URL.
If I add @auth.requires_signature() to callback function, it no longer works. The ajax call must be signed.
But how can I add "user_signature=True" to the code above so that the ajax call will be signed?
Regards,
Mike
in a form i have
TD(INPUT(_id='keyword', _name='keyword', _onkeyup="ajax(URL('callback', ['keyword', 'stype']), 'target');"), _name="search_type")))
If a text is entered, callback is called an some text is displayed in target. This works.
But now I want to sign the URL.
If I add @auth.requires_signature() to callback function, it no longer works. The ajax call must be signed.
@auth.requires_signature()
def callback():
return P("foo")
But how can I add "user_signature=True" to the code above so that the ajax call will be signed?
Regards,
Mike
LightDot
Mar 19, 2014, 11:31:41 AM3/19/14
to web...@googlegroups.com
Try:
Regards
TD(INPUT(_id='keyword', _name='keyword', _onkeyup="ajax(URL('callback', ['keyword', 'stype'], user_signature=True), 'target');"), _name="search_type")))
Regards
Mike Constabel
Mar 19, 2014, 5:18:38 PM3/19/14
to web...@googlegroups.com
Doesn't work. The generated HTML code:
Niphlod
Mar 19, 2014, 5:37:33 PM3/19/14
to web...@googlegroups.com
you're missing a point: separation of what is executed by python and what is executed by javascript.
user_signature takes into consideration a/c/f , args AND vars.
your URL link in the onkeyup attribute is generated by python, but then ajax() takes the values presented in the form (in your case, while the user is typing values) and post those to the original URL (as vars).
python can't know in advance what values the user will type, and javascript (ajax()) can't sign the "resulting url" because of two things:
- it doesn't know what hmac_key to use ('cause only the server knows what is it, that's the whole point of user_signature)
- it doesn't know HOW to create the signature
If you need signed URLs, you need to verify the url without taking vars into consideration.
Please review the book about the signature process...
http://web2py.com/books/default/chapter/29/04/the-core?search=signed#Digitally-signed-urls
BTW: auth.requires_signature() takes hash_vars as a parameter too.
user_signature takes into consideration a/c/f , args AND vars.
your URL link in the onkeyup attribute is generated by python, but then ajax() takes the values presented in the form (in your case, while the user is typing values) and post those to the original URL (as vars).
python can't know in advance what values the user will type, and javascript (ajax()) can't sign the "resulting url" because of two things:
- it doesn't know what hmac_key to use ('cause only the server knows what is it, that's the whole point of user_signature)
- it doesn't know HOW to create the signature
If you need signed URLs, you need to verify the url without taking vars into consideration.
Please review the book about the signature process...
http://web2py.com/books/default/chapter/29/04/the-core?search=signed#Digitally-signed-urls
BTW: auth.requires_signature() takes hash_vars as a parameter too.
Mike Constabel
Mar 19, 2014, 6:14:59 PM3/19/14
to web...@googlegroups.com
This is logical for me. Thank you for the explanation.
I read the book often, especially the ajax part. I found this sentence: "It is good practice to always digitally sign Ajax callbacks."
Now I ask me:
Is it possible to sign the url and exclude keyword and stype? So that a user can't submit other vars?
In the book is an example with LOAD, this I understand.
But for ajax in my case it seems now to be impossible to sign it. I have no idea.
I think I must take ajax callback as potentially insecure and handle this accordingly.
I read the book often, especially the ajax part. I found this sentence: "It is good practice to always digitally sign Ajax callbacks."
Now I ask me:
Is it possible to sign the url and exclude keyword and stype? So that a user can't submit other vars?
In the book is an example with LOAD, this I understand.
But for ajax in my case it seems now to be impossible to sign it. I have no idea.
I think I must take ajax callback as potentially insecure and handle this accordingly.
Niphlod
Mar 20, 2014, 4:15:58 PM3/20/14
to
again missing a point.......
ajax callbacks **should** be signed simply because simply there's no way to do sign urls in javascript - meaning...if you move the signing part to a piece of code that is executed on the client, you lost all the benefits of the signature itself, 'cause it can be forged.
That being said, if you sign the url without the vars, it's still a much secure path than no signing at all or using a fixed hmac_key.
If you really read the book, then you'll know you can skip the vars when dealing with signatures (both with fixed hmac_keys and with user signatures.)
ajax callbacks **should** be signed simply because simply there's no way to do sign urls in javascript - meaning...if you move the signing part to a piece of code that is executed on the client, you lost all the benefits of the signature itself, 'cause it can be forged.
That being said, if you sign the url without the vars, it's still a much secure path than no signing at all or using a fixed hmac_key.
If you really read the book, then you'll know you can skip the vars when dealing with signatures (both with fixed hmac_keys and with user signatures.)
Reply all
Reply to author
Forward
0 new messages