Is it possible to create a webservice funcion for login (instead of basic authentication)?

94 views
Skip to first unread message

Lisandro

unread,
May 5, 2015, 12:57:23 PM5/5/15
to web...@googlegroups.com
I'm creating a XMLRPC webservice with web2py, everything works perfect. 
In order to restrict access to the webservice, acordingly to the docs, you have to decorate the function that instantiates the webservice, for example:

@auth.requires_login()
def call():
    return service()


@service.xmlrpc
def check():
    return auth.user.email

So, in order to connect to this webservice, you would have to pass the user and password in the url, like this:
http://user:email@domain/default/call/xmlrpc
And then you would be able to run the function "check()" of the webservice.

So far all good. But what if I want to create a public webservice, and include a function for login (taking user and email as arguments)? The function should login the user and next calls to other functions should be able to check if user is logged in.

I've tried this with no success:

def call():
    return service()


@service.xmlrpc
def login(data):
    user = auth.login_bare(data['email'], data['password'])
    if not user:
        return False
    else:
        auth.login_user(user)
        return True


@service.xmlrpc
def check():
    if auth.is_logged_in():
        return auth.user.email
    else:
        return False

However this doesn't work. I can succesfully connect to the webservice, and I can succesfully execute "login()" function, but then inmediately I execute "check()" function and I always receive False, so the session isn't created.

For the testing client I'm using class ServerProxy from python xmlrpclib. 
I know this is easy to fix (using the first of the two examples shown here), but not all clients support basic authentication and I'm trying to figure out what to do for those cases. Thanks in advance!

Niphlod

unread,
May 5, 2015, 2:51:50 PM5/5/15
to web...@googlegroups.com
usually services do not make use of session cookies, that are the ones web2py checks. A service should use something like basic authentication...

Michele Comitini

unread,
May 6, 2015, 11:34:13 AM5/6/15
to web...@googlegroups.com
if you do not want to use basic auth, a common pattern is  having a service that generates a temporary token and then having the client pass the token with each call.

@service.xmlrpc
def get_auth_token(user, password):
   ...
   return token

@service.xmlrpc
def aservicemethod(token, ...):
    check_token(...)

you can create a decorator to call check_token in a more elegant and readable fashion ;-)


--
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
---
You received this message because you are subscribed to the Google Groups "web2py-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to web2py+un...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Lisandro

unread,
May 6, 2015, 12:04:53 PM5/6/15
to web...@googlegroups.com
Thanks! I like this solution, I will give it a try.
Reply all
Reply to author
Forward
0 new messages