[Cubicweb] Pyro and ZMQ deprecated?
mr.li.jinpeng at gmail.com
Wed Mar 12 22:31:44 CET 2014
On Thu, Mar 6, 2014 at 2:29 PM, Yann Cointepas <yann at cointepas.net> wrote:
> But, according to previous posts, I understood that
> signedrequest/rqlcontroller may evolve to become a replacement of Pyro/ZMQ.
> It means that it is necessary to find a way to make it usable for real
> users via an API like cubicweb.dbapi. Otherwise it would be the end of this
> I think it should not be too hard to generate a secret token from a
> password. For each CWUser, such a token could be kept updated with the
> password on the server via hooks. The dbapi could, given the password,
> generate the same secret token (the contrary must be very difficult and
> time consuming) to use for identification. All this system could be in a
> specific cube named cubicweb-enableconnectionviadbapiusinghttporhttps (some
> people may prefer a shorter name) that would depend on signedrequest and
I read examples from signedrequest/test/unittest_authenticate.py. I
understood very similarly to Dimitri.
If I understand correctly, signedrequest is used for the authentication of
different devices (or different client programs). For example, define
randomly one secret token for one device on the server side. Copy and save
this secret token to your client program. (no more password information
need to be saved in the memory in client program)
In other words, we can easily remove any device from server by removing a
specified token. In the client side, there is no more password but with an
"app token" for the authentication. When we remove "app token" on the
server, we don't need to remove password information on client side.
Based on this mechanism, it is not necessary to generate secret token from
password. This secret token can be considered as a second password only for
the machine, but not for human.
If it is wrong, please correct me.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Cubicweb