search

pythononwheels / pow_devel

development repo for PyhtonOnWheels framework
www.pythononwheels.org
MIT License
75 stars 10 forks source link

Restful API Authentication #45

Closed jeffny2015 closed 4 years ago

jeffny2015 commented 4 years ago

Hi,

I want to know what is the best option to implement authentication in pythononwheels restful api ???

pythononwheels commented 4 years ago

Hi,

standard approach would be to:

Generate a user model with the needed attributes like name, email, password, login_name etc. python generate_model.py -n user -t Then generate a user RESThandler to manage users as an admin (create update delete...) use generate_scaffold -n user to generate the according management views automatically- python generate_handler.py -name user -t --rest

To really authenticate users you have to make a login/register view. Add loginand registermethods with routes of your choice to the user handler.

python generate_view.py --name login

You can use AJAX in the login/register view and form to react to errors without leaving the site. E.g. show an error message etc. You can choose whichever library you prefer.

Sample Login method in user handler

 @route(r"/user/login", dispatch=["post"])
    def login(self):
        try:
            data_json = json.loads(self.request.body)
            ....

If login is ok. (User is known and password check returns True (see below) you can add a secure cookie to identify if a user is logged in or not.) For example like this, storing the cooikie name and the user ID

self.set_secure_cookie("pow_uid", user.id)

PoWhandlerhas a method get_current_user() which you can adapt tho check for that cookie and return true (or already a user object from the DB) and False if that cookie is not found.

This is also the method called by the @tornado.web.authenticated

decorator. Which protects handler methods to logged in users only. IMHO it makes sense to return the user object already from get_current_user so you can check in the method if the user has role == "admin" or implement some more in depth checks easily.

Make sure you encrypt the passwords before storing them in your DB and use HTTPS. Every PythonOnWheels handler has the methods:

generate_password_hash("password_plain")`

and

check_password_hash(encrypted_passwd_from_db, "plaintext_passwd")

returns True or False

These two methods are from the Werkzeug.security library: https://werkzeug.palletsprojects.com/en/1.0.x/utils/#module-werkzeug.security

So basically to register and login (authenticate) for users just use "normal" (AJAX) POST requests to a sprcific route (user/login or /user/register)

You can use a full REST API to manage all users (through user modles) but this should be restricted to ADMINs only. So not accessible for standard users.

In most cases it makes sense to also add a /user/settings route where users can manage their own settings. (AVatars, passwords, change email...) Just add one more @route to the users handler. Verify that the loggin

jeffny2015 commented 4 years ago

I think im steel lost, what i want to implement is oauth v2 in my restful API(this api it justs works sending request an only json responses "no GUI interface") any idea?

pythononwheels commented 4 years ago

OK, I see.. You want to act as an oauth v2 provider or do you want to enable your app to user 3rd parties via oauth v2 authentication. Like loggin in with google or twitter to your app ?

jeffny2015 commented 4 years ago

yes if i can get both solutions,

pythononwheels commented 4 years ago

it should be relatively easy to integrate other oauth2 providers like google or twitter, facebook etc. Since PythonOnWheels is based on tornado you can use this as a guideline:

oauth2 google sample