An identity policy for morepath using itsdangerous.

import morepath
from more.itsdangerous import IdentityPolicy

class App(morepath.App):
    pass

@App.identity_policy()
def get_identity_policy():
    return IdentityPolicy()

@App.verify_identity()
def verify_identity(identity):
    # trust the identity established by the identity policy (we could keep
    # checking if the user is really in the database here - or if it was
    # removed in the meantime)
    return True

See http://morepath.readthedocs.org/en/latest/security.html to learn more about Morepath's security model and and have a look at the commented source code:

https://github.com/morepath/more.itsdangerous/blob/master/more/itsdangerous/identity_policy.py

The IdentityPolicy class is meant to be extended because everyone has differing needs. It simply provides a way to store the identity as a signed cookie, using itsdangerous.

By default, the cookies created by more.itsdangerous are HttpOnly and Secure.

If you have differing needs or if you are running a development server you might have to change the identity policy's configuration:

@App.identity_policy()
def get_identity_policy():
    # make the cookies work under http, not just https
    return IdentityPolicy(secure=False)

Note that this should only be used in development. In this day and age you do not want to transmit cookies over http!

Install tox and run it:

pip install tox
tox

Limit the tests to a specific python version:

tox -e py27

More Itsdangerous follows PEP8 as close as possible. To test for it run:

tox -e pep8

More Itsdangerous uses Semantic Versioning

more.itsdangerous is released under the revised BSD license