Skip to main content

Basic Auth Identity Policy for Morepath

Project description

more.basicauth: HTTP Basic Authentication integration for Morepath

Overview

This is a Morepath authentication extension for HTTP Basic Authentication. It was originally part of Morepath, but since basic auth is almost always what you don’t want we decide to move it to a separate extension.

Some Pros and Cons:

Alternative authentication extensions for morepath are:

  • more.jwtauth: A token based authentication sytem using JSON Web Token (JWT).

  • more.isdangerous: A cookie based identity policy using isdangerous.

Introduction

Basic authentication is special in a number of ways:

  • The HTTP response status that triggers basic auth is Unauthorized (401), not the default Forbidden (403). This needs to be sent back to the browser each time login fails, so that the browser asks the user for a username and a password.

  • The username and password combination is sent to the server by the browser automatically; there is no need to set some type of cookie on the response. Therefore remember_identity does nothing.

  • With basic auth, there is no universal way for a web application to trigger a log out. Therefore forget_identity does nothing either.

To trigger a 401 status when time Morepath raises a 403 status, we can use an exception view, something like this:

from webob.exc import HTTPForbidden

@App.view(model=HTTPForbidden)
def make_unauthorized(self, request):
    @request.after
    def set_status_code(response):
        response.status_code = 401
    return "Unauthorized"

For the login code, as remember_identity is not an option, you can just check the password:

# check whether user has password, using password hash and database
if not user_has_password(username, password):
    return "Sorry, login failed" # or something more fancy

Note that user_has_password stands in for whatever method you use to check a user’s password; it’s not part of Morepath.

Usage

Here a full example for a basic setup:

import morepath
from more.basicauth import BasicAuthIdentityPolicy
from webob.exc import HTTPForbidden


class App(morepath.App):
    pass


@App.identity_policy()
def get_identity_policy():
    return BasicAuthIdentityPolicy()


@App.verify_identity()
def verify_identity(identity):
    # Do the password validation.
    return user_has_password(identity.username, identity.password)


@App.view(model=HTTPForbidden)
def make_unauthorized(self, request):
    @request.after
    def set_status_code(response):
        response.status_code = 401

    return "Unauthorized"

The login form could look like:

from webob.exc import HTTPProxyAuthenticationRequired


class Login:
    pass


@App.path(model=Login, path='login')
def get_login():
    return Login()


@App.view(model=Login, request_method='POST')
def login(self, request):
    username = request.POST['username']
    password = request.POST['password']

    # Do the password validation.
    if not user_has_password(username, password):
        raise HTTPProxyAuthenticationRequired('Invalid username/password')

    return "You're logged in."  # or something more fancy

Requirements

  • Python (3.4, 3.5, 3.7, 3.8)

  • morepath (>= 0.19)

CHANGES

0.5 (2020-04-26)

  • Removed: Removed support for Python 2.

    You have to upgrade to Python 3 if you want to use this version.

  • Dropped support for Python 3.3 and added support for Python 3.5, 3.6, 3.7 and PyPy 3.6.

  • Make Python 3.7 the default testing environment.

  • Add integration for the Black code formatter.

0.4 (2016-10-21)

  • We now use virtualenv and pip instead of buildout to set up the development environment. A development section has been added to the README accordingly.

0.3 (2016-07-20)

  • Upgrade to Morepath 0.15.

  • Add testenv for Python 3.5 and make it the default test environment.

  • Change author to “Morepath developers”.

  • Clean up classifiers.

0.2 (2016-04-25)

  • Upgrade to Morepath 0.14.

  • Some minor improvements to the buildout setup workflow.

0.1 (2016-04-16)

  • Extract Basic Auth from Morepath.

  • Return NO_IDENTITY instead of None, if user cannot identify.

  • Replace class ‘app’ with ‘App’ in tests.

  • Add a login test.

  • Enhance documentation.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

more.basicauth-0.5.tar.gz (7.7 kB view details)

Uploaded Source

Built Distribution

more.basicauth-0.5-py2.py3-none-any.whl (7.9 kB view details)

Uploaded Python 2 Python 3

File details

Details for the file more.basicauth-0.5.tar.gz.

File metadata

  • Download URL: more.basicauth-0.5.tar.gz
  • Upload date:
  • Size: 7.7 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/3.1.1 pkginfo/1.5.0.1 requests/2.23.0 setuptools/46.1.3 requests-toolbelt/0.9.1 tqdm/4.45.0 CPython/3.7.3

File hashes

Hashes for more.basicauth-0.5.tar.gz
Algorithm Hash digest
SHA256 b6f6cc077d18acd4ab0497fb8a76ed28d996ad7218a9824cd975b96944c94ccc
MD5 33ceeda360a5381c05c7cd68f2a13314
BLAKE2b-256 d5265b736a3da38488b04321134d3a7b3094957e33747287b9f1941fa72e944f

See more details on using hashes here.

File details

Details for the file more.basicauth-0.5-py2.py3-none-any.whl.

File metadata

  • Download URL: more.basicauth-0.5-py2.py3-none-any.whl
  • Upload date:
  • Size: 7.9 kB
  • Tags: Python 2, Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/3.1.1 pkginfo/1.5.0.1 requests/2.23.0 setuptools/46.1.3 requests-toolbelt/0.9.1 tqdm/4.45.0 CPython/3.7.3

File hashes

Hashes for more.basicauth-0.5-py2.py3-none-any.whl
Algorithm Hash digest
SHA256 8dcbc97b6a0bc36619fd16a36f8181d45be049c62a74b2eec0270e898c76ec2c
MD5 1d245cceb7ae04ccf081aa751e0cbfd1
BLAKE2b-256 642b74ca4e859030769420674c7e07f146afa39e3758e06cc40c7fc4009c5413

See more details on using hashes here.

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page