I recently started writing an online password manager. The basic idea is that it would ask 3 questions from a bank of questions, and then prompt for a decryption password and the name of a service of which to get a password. The service would run over SSL, and the passwords would be exported from my laptops KDE pwmanager in my server backup script.
That way I'd be able to get my unmemorable passwords from any internet-connected terminal, without fear of an eavesdropper or piece of malware getting all of my passwords, since the 3 questions would change, much like the digits asked for when using online banking.
Django seemed a touch too heavy, and I was tempted to use
PHP, but
Andrew suggested I give
web.py, the slim web framework behind
reddit, a try.
web.py is indeed very slim, and I soon realised I'd have to find a different database
ORM, as web.py's involved writing raw SQL as arguments, which I didn't really want to do. So I downloaded
SQLObject.
Midway through the project I decided that I needed sessions, so I didn't have to authenticate on every page. The
web.py sessions example code calls
web.ctx.session, but that didn't seem to exist for me. The web.py
cookbook's page on sessions calls a
web.session.Session(..) but specifies that this is available on version 0.3 only, which is strange, since the
Get It! link on the site goes to a file called web.py-0.23.tar.gz, which seems to imply a latest version of 0.23. Eventually, I tried to find this session code myself, but it didn't seem to exist.
martin@zapper:webpwman/web $ grep -R session *
martin@zapper:webpwman/web $
Anyway, back to SQLObject. I already had a postgresql database hanging around from when I was developing lejogger, So I thought I'd use that for developing webpwman (yes, I'm that lazy). The database is set up so that the user 'lejogger' can access it without any password. (ie
psql -Ulejogger lejogger works fine), so I defined its URI:
"postgres://lejogger@localhost/lejogger"
This only produced tracebacks complaining about the lack of a password, and eventually I realised it was probably trying to connect via TCP/IP rather than the socket file, so I changed the URI to:
"postgres://lejogger@/var/run/postgresql/lejogger"
But it seems the leading / on the socket's file path disappears (This happens no matter how many I insert into the URI). In fact, I can see no way to make SQLObject connect to a postgresql database file socket whilst overriding the default username of the UNIX user, and I don't really want to edit my database permissions.
After consideration, I have decided to rewrite the application using
CherryPy (whose sessions code hopefully exists), and use a json file to store the data, since there won't be that much of it anyway and the passwords will be encrypted. This will also make it easier to import data, as the backup script can make then rsync/scp the json file up to the server.
If I have missed something glaringly obvious, please contact me and I will update the post accordingly.