@auth.requires_login()
def index():
import requests
json = requests.get(URL('api', 'apps', host=True))
return {"json": json.content}
import requests
apps_url = 'http://localhost:8091/apps'
@auth.requires_login()
@request.restful()
def apps():
response.view = 'generic.json'
def GET(*args,**vars):
r = requests.get(apps_url)
return r
return dict(GET=GET)
I added then the requires_login to api controller and then i test both URLs independently from browser, it works ok (login to web2py -> go to /api/apps -> get my results) however if I do the GET request using requests.get from default controller i get a Non Authorized message and redirect to login form.
def index():
import requests
json = requests.get(URL('api', 'apps', host=True))
jwt
()[source]
To use JWT authentication: 1) instantiate auth with:
auth = Auth(db, jwt = {'secret_key':'secret'})where ‘secret’ is your own secret string.
Decorate functions that require login but should accept the JWT token credentials:
@auth.allows_jwt() @auth.requires_login() def myapi(): return 'hello %s' % auth.user.emailNotice jwt is allowed but not required. if user is logged in, myapi is accessible.
- Use it!
Now API users can obtain a token with
(returns json object with a token attribute) API users can refresh an existing token with
they can authenticate themselves when calling http:/.../myapi by injecting a header
Authorization: Bearer <the jwt token>
#in default
session = requests.Session()
url_login = 'http://..../api/login.json'
#requests.packages.urllib3.disable_warnings() # - uncomment if you use a self-signed cert over https
r = session.get(url_login, verify=True) #set verify=False if you use a self-signed cert over https
form = dict( username = 'user', password = 'password')r = session.post(url_login, data = form)
if r.status_code==200: #server OK response_data = json.loads(r.text)
logged_in = 'logged_in' in response_data.keys()
#in api
@request.restful()
def login():
response.view = 'generic.json'
user = request.vars.username
password = request.vars.password
if auth.login_bare(user, password):
return dict(logged_in = 'yes')
# auth.requires_login() redirects to login form, but it's redundant for api
# instead of auth.requires_login() you can write your own simple decorator:
def api_requires_login(f):
if auth.is_logged_in(): return f
raise HTTP(401) # or return something
Hi, you can use requests.Session:
#in default
session = requests.Session()
url_login = 'http://..../api/login.json'
#requests.packages.urllib3.disable_warnings() # - uncomment if you use a self-signed cert over https
r = session.get(url_login, verify=True) #set verify=False if you use a self-signed cert over https
#requests.packages.urllib3.disable_warnings() # - uncomment if you use a self-signed cert over https
r = session.get(url_login, verify=True) #set verify=False if you use a self-signed cert over https
I'm not sure about this. As is, it produces a ticket for "get() takes no keyword arguments". Taking out the verify, I get a result of 'None'. That doesn't seem to be useful to me.
it seems now that my "quick" workaround was not that simple (unless there is a magical solution somewhere) and is easier to direclty implement JWT on all my microservices and frontend.
command :curl -H "Authorization: Bearer paste_jwt_token_here" http://127.0.0.1:8000/test/api/header_jwt/table/1result:data shown without user credentialsexpected result:data not shown without user credentialsany idea? or is it normal because from code above i've used @auth.requires.login() even put the auth.is_logged_in() decorator?
allows_jwt means JWT is allowed, not that it is required. When you open the URL in the browser, you will have access as long as you are logged in in the browser -- JWT is irrelevant in that context.
allows_jwt means JWT is allowed, not that it is required. When you open the URL in the browser, you will have access as long as you are logged in in the browser -- JWT is irrelevant in that context.Just to clarify, you can use JWT for authentication even from the browser, but given your current setup, the standard cookie-based authentication is still functioning.