Bare Login using API key

[lyn2py]

Hi guys, 

Creating an API (within my web2py app), and need to use a login that's not the user's login, hence the API key. How should I go about a bare login using API key?

[Michael Gheith]

From a high level view you can create an extra field in the auth table, and put random keys in it as a default value for each of your users.  Or when someone signs up, they can automatically get assigned a random key using the DAL default parameter in Field.  So each user will have a unique key.  There are several methods to generate these random keys, you can search for it here in the web2py group.  Let me know if that makes sense.

Best,

M.G.

[lyn2py]

I may have been misunderstood. 

I meant to ask, how can I have a user use API keys (API key + secret if needed) to access JSON-RPC instead of user login/pass.

Thanks.

[Leonel Câmara]

An easy way would be to have your default.py/call function check the API key and raise HTTP(403) if it's not valid. You could subclass Auth, make your own basic_login using the API key, use that as the Auth for your application, and then use auth.requires_login() in call, but it seems unnecessarily complicated for this.

[lyn2py]

Thanks Leonel! I just thought that web2py had something like that already in place, perhaps needed to add a correct decorator, and I didn't need to reinvent the wheel.

Sidenote to Massimo: What do you think of the idea? Have a decorator to check for a special field or fields (API key related, like API key, API secret) in order to get a particular / restricted access to the API calls.

[Albert Abril]

I'm already working with this now. 

Since I'm planning make my actual webapp only to a API based, and in other side, the frontend as a client of this API with angularjs.

I think I'm more interested in do a session token based authentication like this.
https://auth0.com/blog/2014/01/07/angularjs-authentication-with-cookies-vs-token/

--
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
---
You received this message because you are subscribed to the Google Groups "web2py-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to web2py+un...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[lyn2py]

Hi Massimo, in case you missed this, this is a call out, I hope you can shed some light on this.

If I would like to do something like:

http://api_key:api_secret@some_url.com/default/call/jsonrpc

[Massimo Di Pierro]

You will find those parameters hashed in 

request.env.HTTP_AUTHORIZATION

(this puzzles me because it is supposed to be request.env.http_authorization) in web2py.

Anyway, this method of authentication is discouraged for security reasons and most browsers including Chrome and IE strip the from the URL:

http://support.microsoft.com/default.aspx?scid=kb;%5bLN%5d;834489

[lyn2py]

Ok thank you for pointing out the security measures. I'm new to this so I had no idea about it.

Is it better to do away with login:pa...@url.com and use instead url.com/call/jsonrpc/api_key , or what would be the correct / recommended method to serve APIs with web2py?

Thank you, I appreciate it.

[Massimo Di Pierro]

From a security standpoint the they have the same problem but at least the latter is not blocked by browser and you can test it in the browser.