Restful API with HTTPS and authentication

[Fredrik]

Hi,

I'm trying to set up a RESTful API in web2py and have run into some troubles with authentication. The server running the API is setup with WSGI, forced HTTPS and the API controller actions have the @auth.requires_login() decorators.

The problem is that I'm not able to make requests to the API via curl or other command-line/script clients. It all works well locally when I use the Rocket server and the "auth.settings.allow_basic_login = True" in the controller. The same does however not work on the production server with WSGI and Apache, or locally without the setting for that part. I have tried all different types of methods, including sending cookies with the curl request.

Am I missing something here? What is the preferred solution for Auth for RESTfil APIs in web2py?

Best regards,

Fredrik

[Larry Weinberg]

I'm doing exactly that and not running into troubles.

Could it be something about your SSL certificate?  If it's not a well trusted certificate sometimes you need to install it on the client side.

Does it match the domain name you are calling?

I test my server with the following python code and I can use basic authentication with restful calls:

import requests

from   requests.auth import HTTPBasicAuth

import json

user      = 'myn...@my.com'

passwd = 'mypassword'

url        = 'http://mysrver/app/controller/resfullcall.json'

r           = requests.get(url, auth=HTTPBasicAuth(user, passwd))

# print r.text

# Decode the JSON response and get the access token

decodedDict         = json.loads(r.text)

[Fredrik]

Hi Larry,

thanks for the quick reply. It might have something to do with the certificate. Me calling it a production server is actually not totally correct, it's more of a staging server, and therefore the SSL certificate does not match the domain name.

Using basic auth was more of a way to find out what is going wrong. Our goal is to have API authentication based on the auth table in web2py. With basic auth and Apache/WSGI, aren't we restricted to a password-file and therefore a separate user/pass set than in web2py?

[Michele Comitini]

Fredrik,

You should be able to use http basic authentication on ssl.

You can also use x509 auth if you want to use client side certificates (still using web2py auth_* tables).

I do not understand what is the exact error on your client. Can you post it?

mic

2013/9/17 Fredrik <fredrik.z...@gmail.com>

--
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
---
You received this message because you are subscribed to the Google Groups "web2py-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to web2py+un...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

[Fredrik]

It turns out I needed to add this to the Apache config: WSGIPassAuthorization On

With the line added everything works well. I couldn't find any documentation on that in the web2py book and I do not know if it has something to do with my particular setup and versions.

Now all decorators works according to documentation and i can use, for instance "wget -qO- --no-check-certificate --auth-no-challenge --user=[username] --password=[passeword] https://my.server.com/api/action.json"

[Keith Phillips]

YES!  This was the solution for me as well.  Thanks!