Questions regarding AuthenticationPolicy, Permissions and Cookies

[Matheo]

Hello,

I don't understand verry well how authentication/authorization works with pyramid. I mean, how the server remembers if the user can access or not to a classic root like that for instance :

@view_config(

    route_name='core/currentUser',

    renderer='json'

)

#default permissions already setted to read :
config.set_default_permission('read')

And after the user has already passed the login check function : 

@view_config(

    route_name=route_prefix+'login',

    permission=NO_PERMISSION_REQUIRED,

    request_method='POST')

def login(request):

    user_id = request.POST.get('user_id', '')

    pwd = request.POST.get('password', '')

    user = DBSession.query(User).filter(User.id==user_id).one()

    if user is not None and user.check_password(pwd):

        headers = remember(request, user_id)

        response = request.response

        response.headerlist.extend(headers)

        transaction.commit()

        return response

    else:

        transaction.commit()

        return HTTPUnauthorized()

Acutally I want to overwrite the authentication system in order to use a Json Web Token cookie.

This post presents what I want to do : https://github.com/ajkavanagh/pyramid_jwtauth/issues/9 (mine)

I started among other stuff to write a JWTAuthTktCookieHelper class in order to keep more or less the AuthTktAuthenticationPolicy behaviors (remember function) but with a JWT cookie and through the JWTAuthenticationPolicy (optional, I can extend AuthTktAuthenticationPolicy). I'm not sure it's enought, I don't see how the permissions are keeped server side, is it via a session?

Hopping to be clear.

Thank you!

(be back on saturday)

[Paul Everitt]

Is your JWTAuthTktCookieHelper successful in setting request.authenticated_userid?

Pyramid keeps a pretty nice separate between authentication, permissions, and ACLs. I suggest you use this to your advantage. First, make sure that your authentication works and ignore authorization. Here’s the step in the Pyramid quick tutorial that does authentication without worrying about authorization (or databases):

  http://docs.pylonsproject.org/projects/pyramid//en/latest/quick_tutorial/authentication.html

If you can get that tutorial step working with your JWT-in-cookies (meaning, after login, you can print request.authenticated_userid), *then* worry about authorization and databases.

—Paul

--
You received this message because you are subscribed to the Google Groups "pylons-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pylons-discus...@googlegroups.com.
To post to this group, send email to pylons-...@googlegroups.com.
Visit this group at http://groups.google.com/group/pylons-discuss.
For more options, visit https://groups.google.com/d/optout.

[Matheo]

I actualy only check the signature of the named JWTcookie and if I can decode it, then alows the user to continue or not.

But I'm not sure it's a good behavior, there isn't actualy any match-test with the server. The userid shouldn't be stored somewhere on the server side in order to make a match? If yes, where should I store it? I really don't find reading pyramid's code. (and I'm new to security)

Thank you!

I will certainly paste the code once cleaned.

[Paul Everitt]

In Pyramid authentication, once you assign the cookie, subsequent requests have the following work to do:

- Read the cookie, decode it, and extract the user id

- The groupfinder callback then looks up in a database or something to get the principals associated with that user id

You can fake the groupfinder function and just return from an in-memory set of users and groups. The tutorial link below does that. But you still need an authentication policy which will extract and return a user id from the cookie.

Here is an example of a custom authentication policy:

  http://pyramid-cookbook.readthedocs.org/en/latest/auth/custom.html

It uses a helper for managing the cookie:

  http://docs.pylonsproject.org/projects/pyramid/en/latest/_modules/pyramid/authentication.html#AuthTktCookieHelper

My guess is, you’ll have to take ownership of a replacement cookie helper.

—Paul

[Matheo]

The effective_principals function could be what I was looking for.

I'll take a look on it and go deeper on the AuthTktCookieHelper, thank you!