..a decorative auth library for Tornado.
Project description
gadeu (가드) is a decorative auth library for Tornado.
This README is only a high-level introduction to gadeu. For more detailed documentation, please view the official docs at https://gadeu.readthedocs.io.
Installation
You can install gadeu from PyPI through usual means, such as pip:
pip install gadeu
Usage
To use gadeu two things must be done; first you must register at least one authorization handler, and second you must apply one of the authorization decorators to a request handler method. Consider the following example:
import tornado
from gadeu import *
from .api.FakeApi import FakeApi
# you configure an authorization handler
AuthorizationManager.setAuthorizationHandler(
AuthorizationMethod.APIKEY,
handlers.ApiKeyAuthorizationHandler(key=apiKeySecret)
)
# you create a tornado app
app = tornado.web.Application()
# you add some handlers for your app
app.add_handlers('.*', [
(r'/api/v2/fakes', FakeApi),
(r'/api/v2/fakes/(?P<id>\d+)', FakeApi),
(r'/api/v2/fakes/(?P<name>[\dA-Za-z]+)', FakeApi),
(r'/api/v2/fakes/(?P<id>\d+)/(?P<name>[^/][\dA-Za-z]+)', FakeApi)
])
Elsewhere in your project, you defined FakeApi and decorated at least one handler:
import tornado
from gadeu import authorization
class FakeApi(tornado.web.RequestHandler):
def initialize(self) -> None:
pass
@authorization.apiKey
async def put(self, id:str, name:str) -> None:
_d[id] = name
self.set_status(204)
In the above example, FakeApi.put has been decorated with @authorization.apiKey which will force a check for a valid API Key. The expectations of that check are implemented via the ApiKeyAuthorizationHandler configured in the first few lines of the example. There are more options than are shown here, but this basic setup is enough for a server to check for a valid API Key.
If you need to generate an encryption key there is a TokenUtil class that exposes a createSecretKey(...) method which you can use for this purpose, example:
from gadeu import *
# never share this key! it should get stored to a keyvault and
# managed securely as part of your app settings.
secretKey = TokenUtil().createSecretKey(AuthorizationMethod.APIKEY)
You can also use TokenUtil to generate API Keys using your secret key.
# share this key securely with your business partners, developers,
# testers, etc that need to authorize requests with a server.
apiKey = TokenUtil().createToken(secretKey, {'app':'bob123'}, AuthorizationMethod.APIKEY)
In the above example you can see a dictionary {'app':'bob123'}, this is a "claims object" that gets encoded into the resulting token (apiKey). Developers can access these claims via "validator functions" optionally set via the AuthorizationManager configured for the service.
Currently, only apiKey and bearerToken security schemes are supported, with a plan to add others as they are requested, PR'd, or required for our own projects. Both apiKey and bearerToken tokens are encrypted, and unless you leak your secret keys the wider public should not be able to peek at the token contents (ie. the "claims" you've stored.) That said, it is NOT a good practice to store anything sensitive in a claim (such as keys, passwords, etc.)
Custom/Proprietary Authorization Methods
You can subclass AuthorizationHandler to implement custom behavior. You are encouraged to submit a PR if you find yourself implementing any well known security schemes such as:
- mutualTLS
- OAuth2
- openIdConnect
Since we do not currently use these schemes there are not yet handlers for them, despite their popularity.
Checking Claims
In the future there will be decorators to facilitate claims assertions.
In the current implementation you can assert claims from a custom validator function, or even better check for claims within your handler methods. Example:
class FakeApi(tornado.web.RequestHandler):
@authorization.apiKey
async def put(self, id:str, name:str) -> None:
claims = self.request.arguments.get('claims', {})
assert claims.get('can_edit', False)
# do stuff
Obviously this is a naive example, and you should probably HTTPError back to the client, but you get the idea. If claims is an argument name you already use (and therefore would be clobbered by gadeu) then you can configure a custom argument name in your AuthorizationHandler. Example:
AuthorizationManager.setAuthorizationHandler(
AuthorizationMethod.APIKEY,
handlers.ApiKeyAuthorizationHandler(
key=secretKey,
claimsArgumentName='my_epic_arg_name')
)
Contact
You can reach me on Discord or open an Issue on Github.
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file gadeu-0.0.4.tar.gz.
File metadata
- Download URL: gadeu-0.0.4.tar.gz
- Upload date:
- Size: 11.2 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.1.0 CPython/3.13.3+
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
1aa51b1a92bdacbe2501164d2ee1974825fa4fe2c9d7fb4717d5c619c8e09af2
|
|
| MD5 |
ea57bf74555fc7b12e2ae9fc0b599f6a
|
|
| BLAKE2b-256 |
a2842f1fa4449cf726a06365692d54c570a5709ec82977fd98dc7714b6eef2f9
|
File details
Details for the file gadeu-0.0.4-py3-none-any.whl.
File metadata
- Download URL: gadeu-0.0.4-py3-none-any.whl
- Upload date:
- Size: 12.5 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.1.0 CPython/3.13.3+
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
1ee09cf2a989d3ed2af9fd1f33bf3175fefefe54f663291ca1e1734283bbb49d
|
|
| MD5 |
7297f12cb52fccd950bcc0fd2fbcaf5f
|
|
| BLAKE2b-256 |
ae6e2f51d0755b8cdf9601e1ca28452e6be1549a7b7f72eedbd05f512393bcd5
|
