ajax login bare

[Alan Etkin]

About https://groups.google.com/d/topic/web2py/KWnrCnx4KvM/discussion

Will the feature be something like this?

js function w2p_ajax_login (url, username, pwd, success, error)
  try a post request with username, raw password
  if remote login_bare is ok
    call success
  else if remote raised anything but status 200
    call error

- What about redirections?
- Is a 200 status enough or there's need for a more specific response?
- Should the method abort when there's no SSL?
- Will it use js encription feature?
- Should the method also handle user input (widget for requesting a password)
- I think that the scaffolding layout could store an authentication url for default when it is not provided.
- Is there need to update the cookies for storing the login state after sucessful login?

[Niphlod]

On Tuesday, March 5, 2013 11:58:42 AM UTC+1, Alan Etkin wrote:

About https://groups.google.com/d/topic/web2py/KWnrCnx4KvM/discussion

Will the feature be something like this?

js function w2p_ajax_login (url, username, pwd, success, error)
  try a post request with username, raw password
  if remote login_bare is ok
    call success
  else if remote raised anything but status 200
    call error

- What about redirections?

Shouldn't be there at all.
 

- Is a 200 status enough or there's need for a more specific response?

200 or 403 should be easily recognizeable

- Should the method abort when there's no SSL?

Deployment over SSL should be a concern of the user. Just like the usual login page is served even through http, even the ajax login should have the same "freedom"
 

- Will it use js encription feature?

Encryption on client-side is just a toy. Browser don't have anything to protect the crypto functions to be exploited.
 

- Should the method also handle user input (widget for requesting a password)

I thought the "problem" was to have a function to ease the login through AJAX: I'm quite sure you can LOAD() the user page and everything works out of the box if you want to leverage also the "markup" of the login form.
 

- I think that the scaffolding layout could store an authentication url for default when it is not provided.

Some things needs to be passed around, but the real problem is protecting the submission with a csrf token (PS: I saw your client-side implementation - not tested yet, sorry)
 

- Is there need to update the cookies for storing the login state after sucessful login?

 

This can be tested but in theory after the first request which sets the cookie the browser should send the cookie back automatically for following requests

[Alan Etkin]

> Some things needs to be passed around, but the real problem is protecting the submission with a csrf token (PS: I saw your client-side
> implementation - not tested yet, sorry)

I have a working prototype for ajax user methods. It implements only login and logout, maybe there's no need of register/profile.
It is a plugin_apiclient feature, but perhaps something like that could be of use for bare login/logout in web2py itself.

Currently It works only with json post requests, but I'd like to support also xml data and the get method
The main issue I am trying to solve is the csrf problem mentioned by Niphlod

The plugin code is here:
http://code.google.com/p/plugin-clientapi

The relevant part is the mini-service at the plugin controller (api function) and apiclient.js