django.core.signing

module documentation

Functions for creating and restoring url-safe signed JSON objects.

The format used looks like this:

>>> signing.dumps("hello")
'ImhlbGxvIg:1QaUZC:YIye-ze3TTx7gtSv422nZA4sgmk'

There are two components here, separated by a ':'. The first component is a URLsafe base64 encoded JSON of the object passed to dumps(). The second component is a base64 encoded hmac/SHA1 hash of "$first_component:$secret"

signing.loads(s) checks the signature and returns the deserialized object. If the signature fails, a BadSignature exception is raised.

>>> signing.loads("ImhlbGxvIg:1QaUZC:YIye-ze3TTx7gtSv422nZA4sgmk")
'hello'
>>> signing.loads("ImhlbGxvIg:1QaUZC:YIye-ze3TTx7gtSv422nZA4sgmk-modified")
...
BadSignature: Signature failed: ImhlbGxvIg:1QaUZC:YIye-ze3TTx7gtSv422nZA4sgmk-modified

You can optionally compress the JSON prior to base64 encoding it to save space, using the compress=True argument. This checks if compression actually helps and only applies compression if the result is a shorter string:

>>> signing.dumps(list(range(1, 20)), compress=True)
'.eJwFwcERACAIwLCF-rCiILN47r-GyZVJsNgkxaFxoDgxcOHGxMKD_T7vhAml:1QaUaL:BA0thEZrp4FQVXIXuOvYJtLJSrQ'

The fact that the string is compressed is signalled by the prefixed '.' at the start of the base64 JSON.

There are 65 url-safe characters: the 64 used by url-safe base64 and the ':'. These functions make use of all of them.

Class	`Signer`	No class docstring; 0/4 instance variable, 1/6 method documented
Class	`TimestampSigner`	No class docstring; 1/3 method documented
Function	`dumps`	Return URL-safe, hmac signed base64 compressed JSON string. If key is None, use settings.SECRET_KEY instead. The hmac algorithm is the default Signer algorithm.
Function	`loads`	Reverse of dumps(), raise BadSignature if signature fails.
Constant	`BASE62_ALPHABET`	Undocumented
Class	`BadSignature`	Signature does not match.
Class	`JSONSerializer`	Simple wrapper around json to be used in signing.dumps and signing.loads.
Class	`SignatureExpired`	Signature timestamp is older than required max_age.
Function	`b62_decode`	Undocumented
Function	`b62_encode`	Undocumented
Function	`b64_decode`	Undocumented
Function	`b64_encode`	Undocumented
Function	`base64_hmac`	Undocumented
Function	`get_cookie_signer`	Undocumented
Constant	`_SEP_UNSAFE`	Undocumented

def dumps(obj, key=None, salt='django.core.signing', serializer=JSONSerializer, compress=False):

Return URL-safe, hmac signed base64 compressed JSON string. If key is None, use settings.SECRET_KEY instead. The hmac algorithm is the default Signer algorithm.

If compress is True (not the default), check if compressing using zlib can save some space. Prepend a '.' to signify compression. This is included in the signature, to protect against zip bombs.

Salt can be used to namespace the hash, so that a signed string is only valid for a given namespace. Leaving this at the default value or re-using a salt value across different parts of your application without good cause is a security risk.

The serializer is expected to return a bytestring.

def loads(s, key=None, salt='django.core.signing', serializer=JSONSerializer, max_age=None):

Reverse of dumps(), raise BadSignature if signature fails.

The serializer is expected to accept a bytestring.

BASE62_ALPHABET: str =

Undocumented

Value

'0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz'

def b62_decode(s):

Undocumented

def b62_encode(s):

Undocumented

def b64_decode(s):

Undocumented

def b64_encode(s):

Undocumented

def base64_hmac(salt, value, key, algorithm='sha1'):

Undocumented

def get_cookie_signer(salt='django.core.signing.get_cookie_signer'):

Undocumented

_SEP_UNSAFE =

Undocumented

Value

_lazy_re_compile('^[A-z0-9-_=]*$')