Tokens

Bengfort requested to merge tokens into master

The appointment feeds (!541 (merged) and !613 (merged)) do not require any form of authentication so far. This is because they are meant to be used via calendar clients, so the usual cookie-based authentication is not an option.

The approach here is to add a token as GET parameter. It is based on the work over at https://bitbucket-fusion.cbs.mpg.de/projects/APPS/repos/appointments/.

Possible next steps:

  • UI: At the moment, a single token will be generated for every user. This token is then used for all feeds of that user. Deleting a token is only possible via the admin interface. This approach does not allow fine grained access control. Still, it is already much better than no authentication at all.
  • Domains: With the current approach, a single valid token is sufficient to access all of a user's feeds. We could restrict the validity of the tokens to specific feeds.
  • Generic mixin: It would be nice have a reusable TokenMixin that could be combined with e.g. PermissionRequiredMixin. However, feeds are not based on generic views (see https://code.djangoproject.com/ticket/30993).
  • It is currently not obvious to users that the URL contains a secret token. They might share the full feed URL, including the token, with coworkers. Maybe we can find a way to make it obvious.
Edited by Bengfort

Merge request reports