PYME.util.authenticate module

Authentication for PYME webapps.

This is a work in progress.

Our authentication scheme / security is based around 3 principles:

1. prevent casual misuse (in general, the consequences of a hack are comparatively low)

2. maintain good performance

3. protect user credentials in the case of a breach (accepting that many users re-use passwords)

This has lead to the following design choices:

• use jwt tokens for authentication

• store hashed passwords, rather than clear text

We have one remaining issue, namely that the majority of our connections are still http rather than https (for both convenience and, in the case of the cluster, performance). As a consequence our passwords travel in clear text on the network, and are vulnerable to a man-in-the-middle attack. With the current use cases (connections between nodes on the same switch, behind an institutional firewall) the risk is low, but it would still be strongly advisable to use a unique, “burner” password.

If we deploy more widely, we should look at using https for the UI bits and deploying tokens for the cluster in a secure manner (e.g. SSH).

PYME.util.authenticate.add_user(email, password)

PYME.util.authenticate.authenticate(email, password)

PYME.util.authenticate.authenticate_hash(email, password_hash)

PYME.util.authenticate.get_salt()

PYME.util.authenticate.get_token(email, password, lifetime=datetime.timedelta(days=1), **kwargs)

PYME.util.authenticate.hash_password(password)

PYME.util.authenticate.main()

PYME.util.authenticate.validate_token(token)