authentication library?
109 views
Skip to first unread message
Bill Seitz
May 15, 2012, 12:52:29 PM5/15/12
to web.py
Is there no "standard" library for web.py for providing register/login/
etc.?
The docs page doesn't have much: http://webpy.org/cookbook/userauth
I found this nice-looking jpscaletti library, but it wouldn't work for
me, and the only reference to it in this group was from someone else
who hit the same wall with no resolution. http://jpscaletti.com/webpy_auth/
Is nobody building user UI with web.py, or is just nobody sharing the
code?
etc.?
The docs page doesn't have much: http://webpy.org/cookbook/userauth
I found this nice-looking jpscaletti library, but it wouldn't work for
me, and the only reference to it in this group was from someone else
who hit the same wall with no resolution. http://jpscaletti.com/webpy_auth/
Is nobody building user UI with web.py, or is just nobody sharing the
code?
Shannon Cruey
May 15, 2012, 1:53:23 PM5/15/12
to we...@googlegroups.com
I'm doing a very rich UI with authentication, but it's all custom. In my experience, while the *concept* of registration/user management/authentication is standard, the *implementation* always has some nuances. I suspect that's why there isn't a cookie-cutter authentication scheme out there. (Not to mention if there was one, and everyone loved it and used it, it would be far less secure.)
I do the basics from the docs page here: http://webpy.org/docs/0.3/sessions
I then extended that with my specific database stuff for logging in, checking password, etc.
For ensuring a user remains authenticated, I put the user_id in the session. I use an auth handler that fires on every request - and throws you back to the login page if your cookie ever goes away. (/bypass is an example of a url that *is* allowed, even without an authenticated session. Be aware, it appears /static is exempt by default, so don't put anything secret in there.)
def auth_app_processor(handle):
path = web.ctx.path
if path == "/bypass":
return handle()
if path != "/login" and not session.get('user', False):
raise web.seeother('/login?msg=' + urllib.quote_plus("Session expired."))
return handle()
Just banged this out while eating lunch. Hope it helps.
NSC
I do the basics from the docs page here: http://webpy.org/docs/0.3/sessions
I then extended that with my specific database stuff for logging in, checking password, etc.
For ensuring a user remains authenticated, I put the user_id in the session. I use an auth handler that fires on every request - and throws you back to the login page if your cookie ever goes away. (/bypass is an example of a url that *is* allowed, even without an authenticated session. Be aware, it appears /static is exempt by default, so don't put anything secret in there.)
def auth_app_processor(handle):
path = web.ctx.path
if path == "/bypass":
return handle()
if path != "/login" and not session.get('user', False):
raise web.seeother('/login?msg=' + urllib.quote_plus("Session expired."))
return handle()
Just banged this out while eating lunch. Hope it helps.
NSC
--
You received this message because you are subscribed to the Google Groups "web.py" group.
To post to this group, send email to we...@googlegroups.com.
To unsubscribe from this group, send email to webpy+un...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/webpy?hl=en.
Bill Seitz
May 15, 2012, 7:57:46 PM5/15/12
to web.py
Thanks, I'll try to piece things together.
On May 15, 5:53 pm, Shannon Cruey <shannon.cr...@cloudsidekick.com>
wrote:
On May 15, 5:53 pm, Shannon Cruey <shannon.cr...@cloudsidekick.com>
wrote:
Ryan Sears
May 15, 2012, 9:27:58 PM5/15/12
to we...@googlegroups.com
Good luck, it seemed quite daunting when I first looked at it, but
it's not too bad. I actually ended up using bcrypt to store passwords,
and I could make the authentication system as secure as I wanted it.
You could also look into writing a decorator to protect every URL you
want, that seems like a pretty logical thing to do. If you need any
other pointers feel free to ask!
Ryan
it's not too bad. I actually ended up using bcrypt to store passwords,
and I could make the authentication system as secure as I wanted it.
You could also look into writing a decorator to protect every URL you
want, that seems like a pretty logical thing to do. If you need any
other pointers feel free to ask!
Ryan
Reply all
Reply to author
Forward
0 new messages