Files @ f629e9a0c376
Branch filter:

Location: kallithea/docs/overview.rst

f629e9a0c376 6.2 KiB text/prs.fallenstein.rst Show Annotation Show as Raw Download as Raw
Andrew Shadura
auth: secure password reset implementation

This is a better implementation of password reset function, which
doesn't involve sending a new password to the user's email address
in clear text, and at the same time is stateless.

The old implementation generated a new password and sent it
in clear text to whatever email assigned to the user currently,
so that any user, possibly unauthenticated, could request a reset
for any username or email. Apart from potential insecurity, this
made it possible for anyone to disrupt users' workflow by repeatedly
resetting their passwords.

The idea behind this implementation is to generate
an authentication token which is dependent on the user state
at the time before the password change takes place, so the token
is one-time and can't be reused, and also to bind the token to
the browser session.

The token is calculated as SHA1 hash of the following:

* user's identifier (number, not a name)
* timestamp
* hashed user's password
* session identifier
* per-application secret

We use numeric user's identifier, as it's fixed and doesn't change,
so renaming users doesn't affect the mechanism. Timestamp is added
to make it possible to limit the token's validness (currently hard
coded to 24h), and we don't want users to be able to fake that field
easily. Hashed user's password is needed to prevent using the token
again once the password has been changed. Session identifier is
an additional security measure to ensure someone else stealing the
token can't use it. Finally, per-application secret is just another
way to make it harder for an attacker to guess all values in an
attempt to generate a valid token.

When the token is generated, an anonymous user is directed to a
confirmation page where the timestamp and the usernames are already
preloaded, so the user needs to specify the token. User can either
click the link in the email if it's really them reading it, or to type
the token manually.

Using the right token in the same session as it was requested directs
the user to a password change form, where the user is supposed to
specify a new password (twice, of course). Upon completing the form
(which is POSTed) the password change happens and a notification
mail is sent.

The test is updated to test the basic functionality with a bad and
a good token, but it doesn't (yet) cover all code paths.

The original work from Andrew has been thorougly reviewed and heavily
modified by Søren Løvborg.
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
.. _overview:

=====================
Installation overview
=====================

Some overview and some details that can help understanding the options when
installing Kallithea.


Python environment
------------------

**Kallithea** is written entirely in Python_ and requires Python version
2.6 or higher. Python 3.x is currently not supported.

Given a Python installation, there are different ways of providing the
environment for running Python applications. Each of them pretty much
corresponds to a ``site-packages`` directory somewhere where packages can be
installed.

Kallithea itself can be run from source or be installed, but even when running
from source, there are some dependencies that must be installed in the Python
environment used for running Kallithea.

- Packages *could* be installed in Python's ``site-packages`` directory ... but
  that would require running pip_ as root and it would be hard to uninstall or
  upgrade and is probably not a good idea unless using a package manager.

- Packages could also be installed in ``~/.local`` ... but that is probably
  only a good idea if using a dedicated user per application or instance.

- Finally, it can be installed in a virtualenv_. That is a very lightweight
  "container" where each Kallithea instance can get its own dedicated and
  self-contained virtual environment.

We recommend using virtualenv for installing Kallithea.


Installation methods
--------------------

Kallithea must be installed on a server. Kallithea is installed in a Python
environment so it can use packages that are installed there and make itself
available for other packages.

Two different cases will pretty much cover the options for how it can be
installed.

- The Kallithea source repository can be cloned and used -- it is kept stable and
  can be used in production. The Kallithea maintainers use the development
  branch in production. The advantage of installation from source and regularly
  updating it is that you take advantage of the most recent improvements. Using
  it directly from a DVCS also means that it is easy to track local customizations.

  Running ``setup.py develop`` in the source will use pip to install the
  necessary dependencies in the Python environment and create a
  ``.../site-packages/Kallithea.egg-link`` file there that points at the Kallithea
  source.

- Kallithea can also be installed from ready-made packages using a package manager.
  The official released versions are available on PyPI_ and can be downloaded and
  installed with all dependencies using ``pip install kallithea``.

  With this method, Kallithea is installed in the Python environment as any
  other package, usually as a ``.../site-packages/Kallithea-X-py2.7.egg/``
  directory with Python files and everything else that is needed.

  (``pip install kallithea`` from a source tree will do pretty much the same
  but build the Kallithea package itself locally instead of downloading it.)


Web server
----------

Kallithea is (primarily) a WSGI_ application that must be run from a web
server that serves WSGI applications over HTTP.

Kallithea itself is not serving HTTP (or HTTPS); that is the web server's
responsibility. Kallithea does however need to know its own user facing URL
(protocol, address, port and path) for each HTTP request. Kallithea will
usually use its own HTML/cookie based authentication but can also be configured
to use web server authentication.

There are several web server options:

- Kallithea uses the Paste_ tool as command line interface. Paste provides
  ``paster serve`` as a convenient way to launch a Python WSGI / web server
  from the command line. That is perfect for development and evaluation.
  Actual use in production might have different requirements and need extra
  work to make it manageable as a scalable system service.

  Paste comes with its own built-in web server but Kallithea defaults to use
  Waitress_. Gunicorn_ is also an option. These web servers have different
  limited feature sets.

  The web server used by ``paster`` is configured in the ``.ini`` file passed
  to it. The entry point for the WSGI application is configured
  in ``setup.py`` as ``kallithea.config.middleware:make_app``.

- `Apache httpd`_ can serve WSGI applications directly using mod_wsgi_ and a
  simple Python file with the necessary configuration. This is a good option if
  Apache is an option.

- uWSGI_ is also a full web server with built-in WSGI module.

- IIS_ can also server WSGI applications directly using isapi-wsgi_.

- A `reverse HTTP proxy <https://en.wikipedia.org/wiki/Reverse_proxy>`_
  can be put in front of another web server which has WSGI support.
  Such a layered setup can be complex but might in some cases be the right
  option, for example to standardize on one internet-facing web server, to add
  encryption or special authentication or for other security reasons, to
  provide caching of static files, or to provide load balancing or fail-over.
  Nginx_, Varnish_ and HAProxy_ are often used for this purpose, often in front
  of a ``paster`` server that somehow is wrapped as a service.

The best option depends on what you are familiar with and the requirements for
performance and stability. Also, keep in mind that Kallithea mainly is serving
dynamically generated pages from a relatively slow Python process. Kallithea is
also often used inside organizations with a limited amount of users and thus no
continuous hammering from the internet.


.. _Python: http://www.python.org/
.. _Gunicorn: http://gunicorn.org/
.. _Waitress: http://waitress.readthedocs.org/en/latest/
.. _virtualenv: http://pypi.python.org/pypi/virtualenv
.. _Paste: http://pythonpaste.org/
.. _PyPI: https://pypi.python.org/pypi
.. _Apache httpd: http://httpd.apache.org/
.. _mod_wsgi: https://code.google.com/p/modwsgi/
.. _isapi-wsgi: https://github.com/hexdump42/isapi-wsgi
.. _uWSGI: https://uwsgi-docs.readthedocs.org/en/latest/
.. _nginx: http://nginx.org/en/
.. _iis: http://en.wikipedia.org/wiki/Internet_Information_Services
.. _pip: http://en.wikipedia.org/wiki/Pip_%28package_manager%29
.. _WSGI: http://en.wikipedia.org/wiki/Web_Server_Gateway_Interface
.. _pylons: http://www.pylonsproject.org/
.. _HAProxy: http://www.haproxy.org/
.. _Varnish: https://www.varnish-cache.org/
This site is powered by Kallithea 0.7.0, which is © 2010–2025 by various authors & licensed under GPLv3.