Module signing

The format used looks like this:

>>> signing.dumps("hello")
'ImhlbGxvIg:1QaUZC:YIye-ze3TTx7gtSv422nZA4sgmk'

There are two components here, separated by a ':'. The first component is a
URLsafe base64 encoded JSON of the object passed to dumps(). The second
component is a base64 encoded hmac/SHA1 hash of "$first_component:$secret"

signing.loads(s) checks the signature and returns the deserialized object.
If the signature fails, a BadSignature exception is raised.

>>> signing.loads("ImhlbGxvIg:1QaUZC:YIye-ze3TTx7gtSv422nZA4sgmk")
'hello'
>>> signing.loads("ImhlbGxvIg:1QaUZC:YIye-ze3TTx7gtSv422nZA4sgmk-modified")
...
BadSignature: Signature failed: ImhlbGxvIg:1QaUZC:YIye-ze3TTx7gtSv422nZA4sgmk-modified

You can optionally compress the JSON prior to base64 encoding it to save
space, using the compress=True argument. This checks if compression actually
helps and only applies compression if the result is a shorter string:

>>> signing.dumps(list(range(1, 20)), compress=True)
'.eJwFwcERACAIwLCF-rCiILN47r-GyZVJsNgkxaFxoDgxcOHGxMKD_T7vhAml:1QaUaL:BA0thEZrp4FQVXIXuOvYJtLJSrQ'

The fact that the string is compressed is signalled by the prefixed '.' at the
start of the base64 JSON.

There are 65 url-safe characters: the 64 used by url-safe base64 and the ':'.
These functions make use of all of them.

Classes

• class BadSignature
  Signature does not match.
• class JSONSerializer
  Simple wrapper around json to be used in signing.dumps and signing.loads.
• class SignatureExpired
  Signature timestamp is older than required max_age.
• class Signer
• class TimestampSigner

Functions

• ▷ def b64_decode(s)

  source link
• ▷ def b64_encode(s)

  source link
• ▷ def base64_hmac(salt, value, key, algorithm='sha1')

  source link
• ▶ def dumps(obj, key=None, salt='django.core.signing', serializer=JSONSerializer, ...)

  Return URL-safe, hmac signed base64 compressed JSON string. If key is None, use settings.SECRET_KEY instead. The hmac algorithm is the default Signer algorithm.

  def dumps(

  obj,

  key=None,

  salt='django.core.signing',

  serializer=JSONSerializer,

  compress=False,

  )

  source link

  If compress is True (not the default), check if compressing using zlib can
  save some space. Prepend a '.' to signify compression. This is included
  in the signature, to protect against zip bombs.
  
  Salt can be used to namespace the hash, so that a signed string is
  only valid for a given namespace. Leaving this at the default
  value or re-using a salt value across different parts of your
  application without good cause is a security risk.
  
  The serializer is expected to return a bytestring.

• ▷ def get_cookie_signer(salt='django.core.signing.get_cookie_signer')

  source link
• ▶ def loads(s, key=None, salt='django.core.signing', serializer=JSONSerializer, max_age=None)

  Reverse of dumps(), raise BadSignature if signature fails.

  source link

  The serializer is expected to accept a bytestring.

Generated by nedoc v0.9 at 2020-12-29 14:04