REST Auth token or header etc.

[firestalk]

Hello

I am trying to make a simple application with weppy and still new to all the stuff with this great framework. One of the features I need is to POST new data from outer source, by curl, for example. And I want to make it available only to authenticated sources.

Is there any solution to send and check some kind of auth key within my data or make api route available only to requests with auth header?

for example, there is a basic auth method in graylog-rest interface

curl -u GM:superpower -H 'Accept: application/json' -X GET 'http://192.168.178.26:9000/api/cluster?pretty=true'

or as in some django projects, by passing auth header

headers = {'Authorization':'ApiKey GM:superpower'}

[gi0baro]

Hello @firestalk, it actually depends on what do you want to achieve with the auth header. You just need to avoid access without that header (read: you have just one key) or you want to bind keys with users, so you also need to have a session-like flow selecting the correct user depending on the auth key?

[firestalk]

@gi0baro, for this case it is not so important, so I can use one key for all, just to avoid uninvited guests.
But for future, I'd like to understand, how to bind keys with users.

[gi0baro]

@firestalk ok, then you can build everything using the weppy pipeline.

Here is an example for the same ApiKey for everybody:

from weppy import request, response
from weppy.pipeline import Pipe

class ApiKeyPipe(Pipe):
    KEY = "MySecretKey"

    def is_valid_key(self):
        try:
            components = request.headers['Authorization'].split(" ")
            assert components[0] == "ApiKey"
            assert components[1] == self.KEY
        except Exception:
            return False
        return True

    def pipe(self, next_pipe, **kwargs):
        if not self.is_valid_key():
            response.status = 401
            return {"error": "not authorized"}
        return next_pipe(**kwargs)

Then you can just add the application pipeline or create an upper main module:

from weppy.tools import ServicePipe

apis = app.module(__name__, 'apis')
apis.pipeline = [ServicePipe('json'), ApiKeyPipe()]

todos = apis.rest_module(__name__', 'todos', Todo, url_prefix='todos')

If you need to keep an user in the flow selecting it from the ApiKey, then you need some more pipes:

from weppy import sdict, session
from weppy.globals import current

# init the session
class SessionInitializer(Pipe):
    def open(self):
        current.session = sdict()

# store api key in the session
class ApiKeyPipe(Pipe):
    def is_valid_key(self):
        try:
            components = request.headers['Authorization'].split(" ")
            assert components[0] == "ApiKey"
            session._api_key = components[1]
        except Exception:
            return False
        return True

    def pipe(self, next_pipe, **kwargs):
        if not self.is_valid_key():
            response.status = 401
            return {"error": "not authorized"}
        return next_pipe(**kwargs)

# fetch the user with some external logic
class UserFetcherPipe(Pipe):
    def pipe(self, next_pipe, **kwargs):
        session.user = some_method_to_fetch_user_from_apikey(session._api_key)
        if not session.user:
            response.status = 401
            return {"error": "not_authorized"}
        return next_pipe(**kwargs)

Then again fill the pipeline:

apis.pipeline = [SessionInitializer(), ApiKeyPipe(), UserFetcherPipe()]

then in your routes you can access session.user.

Let me know it this works for you :)

[firestalk]

@gi0baro thank you! I thought this is achievable by pipelines but your suggestion is crystal clear!
Ill try this in a few days and write you back.

[firestalk]

@gi0baro, Thank you! Single key solution works like a charm!