
Token authentication plug-ins
=============================

The "token" module contains two utilities:

 - a credentials extraction utility. This utility is waiting for two request inputs
   called "login" and "token" and returns them in a dict.

 - an authentication utility, which uses these credentials to authenticate a principal
   against a classic InternalPrincipal.

These plug-ins where developed for the need of a custom proprietary application
which needed to access protected contents handle in a Zope3 database without being able
to use common HTTP-based authentication mechanisms.


URL token encoding
------------------

The expected URL parameters are:

 - a "login" parameter, containing a classic user login

 - a "token" parameter, containing an encoded token.

The token is a string formed by "user:password:date", where:

 - "user" is the user login

 - "password" is the user password

 - "date" is the current date, in "YYYYMMDD" format.

The whole string is encoded using HMAC+SHA1 protocol.

Using this simple protocol, the given token can only be used on a single day.


Preriquisites
-------------

This authentication utility can only be used against an internal principal using
plain text password manager.
