Only the LP Appserver can issue time limited tokens for the librarian
Bug #697485 reported by
Max Kanat-Alexander
This bug affects 1 person
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| Launchpad itself |
Triaged
|
Low
|
Unassigned | ||
Bug Description
For loggerhead security with an upcoming codebrowse update, I will need the ability to issue and verify time-limited tokens. (In particular, I need to be able to safely serve raw content from a private branch on a separate domain without that domain receiving any cookies.)
| Changed in launchpad: | |
| status: | New → Triaged |
| importance: | Undecided → Low |
| tags: | added: codebrowse |
Revision history for this message
| Robert Collins (lifeless) wrote | #1 |
| Changed in launchpad: | |
| importance: | Low → High |
Revision history for this message
| Robert Collins (lifeless) wrote | #2 |
| summary: |
- Need to be able to issue and verify time-limited tokens via the API + Only the LP Appserver can issue time limited tokens for th elibrarian |
| summary: |
- Only the LP Appserver can issue time limited tokens for th elibrarian + Only the LP Appserver can issue time limited tokens for the librarian |
| Changed in launchpad: | |
| importance: | High → Low |
To post a comment you must log in.
So what this needs is:
- a control group of users that are allowed to work with tokens
- an api to issue / verify tokens which rejects use by users not in the control group; we could use a feature flag to define that group to reduce the amount of code to write.
This is probably a couple hours work for someone familiar with the api stuff; or a day-or-two for a newcomer.