* Users are only authenticated against their password on login,
and to retrieve a token
* Passwords are wiped from the GUI frontend and cookies
after login and token retrieval
* Tokens are revoked at the end of the session/logout
* If the user chooses the "remember me" option,
the token is stored in the cookie
* Tokens correctly delete themselves on logout
* Tokens can expire at user-specified date
* Tokens have their last usage time
* Tokens can have user defined descriptions
* Users can manage login tokens in their account settings
- Changed password setup to use libsodium and argon2id (regular SHA256
hashing for passwords is inadequate as modern GPU's can hash generate
billions of hashes per second).
- Added code to auto migrate old passwords to the new password_hash if
the existing password_hash matches either of the legacy password
generation schemes (SHA1 or SHA256).
- Added migration to support new password_hash format length
- Added column password_revision. This field will default to 0, which
all passwords will have till they're updated. After that each password
hash method has a revision.
- Added type hinting (for now, 3.5-compatible)
- Split `db` namespace into `db` module and `model` namespace
- Changed elastic search to be created lazily for each operation
- Changed to class based approach in entity serialization to allow
stronger typing
- Removed `required` argument from `context.get_*` family of functions;
now it's implied if `default` argument is omitted
- Changed `unalias_dict` implementation to use less magic inputs
Ignored only the rules about continuing / hanging indentation.
Also, added __init__.py to tests so that pylint discovers them. (I don't
buy pytest's BS about installing your package.)
Anonymous is self explanatory.
Nobody is used solely to mark certain operation as unavailable even to
administrators (<- nobody is higher than administrator).
Shyam Sunder