Conversation
… add AES-GCM encryption for user emails.
…uce rate limiting.
Added section for syncing Lenny OPDS feed with Internet Archive's Bookserver app.
…rchiveLabs#154) * refactor: Delegate catalog, publication, and empty feed generation to `LennyDataProvider` methods, removing local helper functions `_navigation` and `_build_empty_feed`. * feat: Skip several dynamic authentication tests due to missing methods in `pyopds2_lenny`. * fix: Update OAuth redirect URLs to use query parameters instead of fragments
… a `testing_access_key` to OTP issue and redeem requests.
…rvices, and API routes, alongside database configuration and timezone adjustments.
…ail encryption, and dedicated OAuth routes.
…with Lenny-specific acquisition links, including PKCE and direct authentication for borrowing.
… JWT (PKCE) support.
… add documentation for Lenny OAuth PKCE.
…thentication document test expectations.
… update related tests.
…Item.exists` `olid` type handling.
…2 acquisition and post-borrow links with OAuth PKCE authentication.
| else: | ||
| # Old format, just email (no IP verification possible) | ||
| return data | ||
| except BadSignature: |
There was a problem hiding this comment.
I'm curious what is happening here. Shouldn't we error out on bad signatures?
There was a problem hiding this comment.
Two things are happning here
- Old version of verifying the cookie's if there is a Ip address which was optional to do the check's (for backward compablity)
- Now if there are not such things we can move to the JWT to fech the session and extract required thing's
| return AES.new(key, AES.MODE_GCM, nonce=nonce) | ||
| return AES.new(key, AES.MODE_GCM) | ||
|
|
||
| def encrypt_email(email: str) -> str: |
There was a problem hiding this comment.
What is the encrypt/decrypt email for?
There was a problem hiding this comment.
The encrypt/decrypt functions are used to protect user email addresses at rest in the database. Emails are encrypted using AES-GCM before being stored, so that the raw email address is not stored in plaintext. This helps reduce exposure of sensitive user data in case of a database leak. When the application needs to use the email (for example token refresh or registration), it is decrypted using the same derived key. The hash_email function is separate and is used for deterministic lookups/indexing where we don’t need to recover the original email.
There was a problem hiding this comment.
Right, and the key lives in memory during the lifetime of the server process? So if it restarts, the key becomes invalid?
That seems ok.
There was a problem hiding this comment.
Yes you are right. But we still make sure the stored data has a prefix to keep the backword's compablity
|
|
||
|
|
||
| @router.post("/token") | ||
| @limiter.limit("5/minute") |
There was a problem hiding this comment.
Have you tested manually that the rate limiter works?
2 participants
closes #159
This pull request introduces significant improvements to the OAuth PKCE authentication flow in Lenny, adds a client registration utility, and enhances environment configuration and rate limiting. The main changes enable easier OAuth client registration, improve security and token management, and update documentation and proxying for OAuth endpoints.
OAuth PKCE Flow Enhancements:
oauth-registerMakefile target anddocker/utils/register_client.shscript for interactive OAuth client registration, allowing users to easily register clients and specify redirect URIs. [1] [2]lenny/app.pyto periodically clean up expired auth codes and refresh tokens, improving token lifecycle management.Documentation Improvements:
README.mdwith a new section on OAuth client registration, including interactive and non-interactive instructions and PKCE flow testing steps. [1] [2]Environment and Configuration Updates:
LENNY_EMAIL_ENCRYPTION_SALTto environment configuration and propagated it throughdocker/configure.shandlenny/configs/__init__.py. [1] [2] [3] [4]Rate Limiting Integration:
slowapirate limiter inlenny/app.pyand added a dedicated module for rate limiting. [1] [2]Proxy and Routing Adjustments:
docker/nginx/conf.d/lenny.confto proxy/v1/oauthrequests to the API, ensuring proper routing for OAuth endpoints.lenny/app.pyand updatedLennyDataProviderto include the OAuth URL. [1] [2]These changes collectively make OAuth client registration and PKCE authentication easier, improve security and maintainability, and enhance documentation for developers.