RESTful service with access control

[Jim S]

Hi

I'm setting up a REST service that requires authentication.  I'm following the example here:

http://web2py.com/books/default/chapter/29/10/services#Access-Control

Here is the example with basic login:

auth.settings.allow_basic_login = True

@auth.requires_login()
@request.restful()
def api(): 
    def GET(s):
        return 'access granted, you said %s' % s 
return locals()

However, I'd like to use email authentication instead of basic_login.  

When I remove the first line, and pass proper email address and password, I get a 403 return code.

Anyone had success with a RESTful service using email authentication?

-Jim

[Val K]

As far as I understand, basic means passing login and password in the headers and it doesn't matter if username or email is used as login, no?

[Jim S]

Shoot, looks like my initial testing wasn't even working.  I was just checking the status code which was returning 200, but didn't realize it was redirecting me to the login page.  Any way i can stop that?

-Jim

[Val K]

For services I use auth.login_bare(u,p) and handmade decorator based on auth.is_logged_in() - don't forget about parens!

[Val K]

There is also https://github.com/web2py/web2py/blob/master/gluon/authapi.py

[Jim Steil]

Val

Thanks so much for the references.  However, I'm really a bit lost.

Using login_bare()??  Where does that come in to play?  And then a custom decorator?

Am I doing something wrong that is preventing the sample in the book from working?  Not sure why mine is just redirecting.

Any samples would really be appreciated.

-Jim

On Mon, May 13, 2019 at 1:34 PM Val K <valq...@gmail.com> wrote:

There is also https://github.com/web2py/web2py/blob/master/gluon/authapi.py

--
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
---
You received this message because you are subscribed to a topic in the Google Groups "web2py-users" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/web2py/7DfbZY6xRWU/unsubscribe.
To unsubscribe from this group and all its topics, send an email to web2py+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/web2py/913ce0a6-a2fa-4529-b934-dc2e3de1d1c0%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Jim Steil]

Val

I just created a test app based on the code in the book and all is working as it should.  Must be something else in my other app that is causing the trouble.

I'll check it out later.  Also looking into JWT...

[Val K]

One yet important moment:
Do you set the view for your api?
I mean, that book example will not work without response.view='generic.json' if request is not local.

[Massimo Di Pierro]

You may want to see my other post about the new policy based DBAPI.

[Jim Steil]

Massimo - thanks for that info.  This won't help in my case as I'm using the RESTful API to get access to another of my server-side python packages.  But, I can see the power of the DBAPI.  I'm waiting for you to stabilize web3py before I jump in.  I'd love to get involved in more testing but I haven't been able to free up the time. 

My current python2 web2py app is too big for me to try to bring to web3py before the Python 2 drop dead date so I'm also working to test all of that under python 3. It's a busy (and exciting) year!

Thanks again for all  you do!

-Jim

--

Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
---
You received this message because you are subscribed to a topic in the Google Groups "web2py-users" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/web2py/7DfbZY6xRWU/unsubscribe.
To unsubscribe from this group and all its topics, send an email to web2py+un...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/web2py/e566fd9f-dd15-4225-b3d3-c5852d1c07c9%40googlegroups.com.

[Jim S]

Yes, I have the view set.   

I have it working now if I use the password stored in my auth_user table.  But, I'd really prefer to have it go through all available authentication methods to authenticate a user.  We have some users that authenticate to our mail server and others that use the password in auth_user.  It's not a show-stopper, using the auth_user password will work for me.

Thanks for sticking with me on this one.

-Jim