Re: [web2py] Restful authentication and CORS

[Alec Taylor]

Hi rdodev,

I'm doing the exact same thing (well similar concept... using PhoneGap
and remote auth, but using JSONRPC and OAuth2 instead of REST and
regular auth)

Keep an eye on this issue: http://code.google.com/p/web2py/issues/detail?id=872

When the dev's get the time they'll be adding in digest auth support.

All the best,

Alec Taylor

On Tue, Jul 17, 2012 at 1:18 AM, rdodev <ami...@gmail.com> wrote:
> I'm developing a web2py app that will be used as the back-end for a mobile
> app. The mobile app will be making API calls to the service for anything
> ranging from login/authentication to CRUD operations. The auth model that
> comes baked into web2py would suffice, except that it's not RESTful and it's
> mostly geared to work with a web browser (sessions, cookies, etc.). Is there
> a way to set the auth module to behave RESTfully?
>
> Another issue is that some of the mobile clients might be running on a
> webView (phoneGap) and thus issuing requests to out back end would result in
> a same-origin policy denial. Is there a way to setup CORS in web2py (or
> should we set that up through apache/wsgi instead?)
>
> Thanks.

[David Marko]

+1 from me having this. Btw. On client side i'm using AngularJS and Trigger.io (instead of PhoneGap)

[Alec Taylor]

On Tue, Jul 17, 2012 at 2:20 AM, David Marko <dma...@tiscali.cz> wrote:
> +1 from me having this. Btw. On client side i'm using AngularJS and Trigger.io (instead of PhoneGap)

I've been looking around, and will have one of the following setups:

• AngularJS with BarristerRPC
• BackboneJS with Backbone.Rpc
• JQuery mobile with jquery-jsonrpc (or plain JSON.stringify)
  

All within a PhoneGap (Apache Cordova) app using the Facebook connect plugin for authentication (for graceful downgrade from Facebook mobile app to Facebook website auth).

I should have a PoC on August 2 with a full backend written in web2py and two frontends (one in web2py views; the other in one of the above frameworks).

Subsequently I'll release it under a full open-source license onto Bitbucket. I'll post to the web2py list with link + slides when the repo is live 

[Massimo Di Pierro]

Can you descrive in some details the API's you would like to have?

If there is agreement it would not much to add them.

[rdodev]

Massimo, 

As Alec mentioned above, if not RESTful, OAuth and jsonrpc/jsonp would work as well. So if this is the preferred approach to non-browser/mobile authentication I could definitely work with that.

Thanks. 

[Massimo Di Pierro]

Please open a ticket.

[rdodev]

Massimo, 

I believe Alec already has one he linked to:  Keep an eye on this issue: http://code.google.com/p/web2py/issues/detail?id=872 so I'm assuming you don't need another one for essentially the same feature request.

:)

[Ray (a.k.a. Iceberg)]

Hi Alec,

Sorry for late response. I am a web2py veteran who dives into restful world only recently. Do you have any finding to share about the restful authentication in web2py? Thanks in advance!

Regards,
Ray

[Michele Comitini]

REST is stateless so you should not rely on session, hence you can use 

auth.settings.allow_basic_login = True

see here

http://web2py.com/books/default/chapter/29/10#Access-Control

for proper (as per RFC) authentication challenge with realm use:

@auth.basich(basic_auth_real=<True|"any string">)

An alternative is to pass an argument or a parameter with authencation info and use

auth.login_bare

Anyway you must pass authentication info with each call since being the service stateless the server has no way to recognize the client.

mic

2013/5/27 Ray (a.k.a. Iceberg) <ice...@qq.com>

--
 
---
You received this message because you are subscribed to the Google Groups "web2py-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to web2py+un...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
 
 

[Ruben D. Orduz]

Yes, most REST patterns I've seen are handled either by http basic auth or else request signing. Either option requires handling that on each call.

--
 
---
You received this message because you are subscribed to a topic in the Google Groups "web2py-users" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/web2py/FyxbO0WGMhU/unsubscribe?hl=en.
To unsubscribe from this group and all its topics, send an email to web2py+un...@googlegroups.com.

[Christian Foster Howes]

i have configured my system to be an oauth provider and added a decorator to all RESTful calls to validate the oauth signature.  yes, i do this on each request that i require authentication for.

[Albert Abril]

Hi Christian,

I'm trying to set up my app as a oauth2 provider too,
did you use https://github.com/SamuelMarks/web2py-oauth2 , or another source? do you have any tutorials or documentation about it? I'll appreciate it so much.

Cheers,
Albert. 

[Christian Foster Howes]

Albert,

when we built our oauth implementation we build it ourselves on top of
the python oauth2 lib. it's been a while since we built it so i can't
remember if that web2py-oauth2 lib had not been written yet. we also
are doing a slightly modified form of auth with our users - they start
as "anonymous" users but still have access tokens, later they register
or login with a 3rd party oauth provider and then we are just an oauth
client.

if that sounds at all like what you are doing maybe i can distill some
of what we had into a format that i can share.'

christian

>>>>>> - *AngularJS <http://angularjs.org/>* with *BarristerRPC
>>>>>> <http://barrister.bitmechanic.com/>*
>>>>>> - *BackboneJS <http://backbonejs.org/>* with *Backbone.Rpc
>>>>>> <https://github.com/asciidisco/Backbone.Rpc>*
>>>>>> - *JQuery mobile* <http://jquerymobile.com/> with *jquery-jsonrpc*
>>>>>> <https://github.com/datagraph/jquery-jsonrpc> (or plain
>>>>>> JSON.stringify)
>>>>>>
>>>>>> All within a *PhoneGap <http://phonegap.com/>* (*Apache Cordova
>>>>>> <http://incubator.apache.org/cordova/>*) app using the* Facebook
>>>>>> connect plugin
>>>>>> <https://github.com/davejohnson/phonegap-plugin-facebook-connect>*

>>>>>> for authentication (for graceful downgrade from Facebook mobile app

>>>>>> <https://www.facebook.com/mobile/> to Facebook website auth
>>>>>> <https://touch.facebook.com>).
>>>>>>
>>>>>> I should have a PoC <http://en.wikipedia.org/wiki/Proof_of_Concept>

>>>>>> on August 2 with a full backend written in web2py and two frontends (one in
>>>>>> web2py views; the other in one of the above frameworks).
>>>>>>
>>>>>> Subsequently I'll release it under a full open-source license onto
>>>>>> Bitbucket. I'll post to the web2py list with link + slides when the repo is
>>>>>> live
>>>>>>
>>>>>

[Massimo Di Pierro]

OK. Will look into this asap.

[Andrés Letelier]

Hi. I'm trying to do basically the same thing; mostly I'm trying to authenticate an AngularJS app against a web2py backend and then do a couple of RESTful calls. Is web2py-oauth2 still the best choice for this?