Basic Auth Identity Policy for Morepath
more.basicauth: HTTP Basic Authentication integration for Morepath
This is a Morepath authentication extension for HTTP Basic Authentication. It was originally part of Morepath, but since basic auth is almost always what you don’t want we decide to move it to a separate extension.
Some Pros and Cons:
This argues against basic auth: http://adrianotto.com/2013/02/why-http-basic-auth-is-bad
But this argues for basic auth: https://www.rdegges.com/2015/why-i-love-basic-auth
Alternative authentication extensions for morepath are:
more.jwtauth: A token based authentication sytem using JSON Web Token (JWT).
more.isdangerous: A cookie based identity policy using isdangerous.
Basic authentication is special in a number of ways:
The HTTP response status that triggers basic auth is Unauthorized (401), not the default Forbidden (403). This needs to be sent back to the browser each time login fails, so that the browser asks the user for a username and a password.
The username and password combination is sent to the server by the browser automatically; there is no need to set some type of cookie on the response. Therefore remember_identity does nothing.
With basic auth, there is no universal way for a web application to trigger a log out. Therefore forget_identity does nothing either.
To trigger a 401 status when time Morepath raises a 403 status, we can use an exception view, something like this:
from webob.exc import HTTPForbidden @App.view(model=HTTPForbidden) def make_unauthorized(self, request): @request.after def set_status_code(response): response.status_code = 401 return "Unauthorized"
For the login code, as remember_identity is not an option, you can just check the password:
# check whether user has password, using password hash and database if not user_has_password(username, password): return "Sorry, login failed" # or something more fancy
Note that user_has_password stands in for whatever method you use to check a user’s password; it’s not part of Morepath.
Here a full example for a basic setup:
import morepath from more.basicauth import BasicAuthIdentityPolicy from webob.exc import HTTPForbidden class App(morepath.App): pass @App.identity_policy() def get_identity_policy(): return BasicAuthIdentityPolicy() @App.verify_identity() def verify_identity(identity): # Do the password validation. return user_has_password(identity.username, identity.password) @App.view(model=HTTPForbidden) def make_unauthorized(self, request): @request.after def set_status_code(response): response.status_code = 401 return "Unauthorized"
The login form could look like:
from webob.exc import HTTPProxyAuthenticationRequired class Login: pass @App.path(model=Login, path='login') def get_login(): return Login() @App.view(model=Login, request_method='POST') def login(self, request): username = request.POST['username'] password = request.POST['password'] # Do the password validation. if not user_has_password(username, password): raise HTTPProxyAuthenticationRequired('Invalid username/password') return "You're logged in." # or something more fancy
Python (3.4, 3.5, 3.7, 3.8)
morepath (>= 0.19)
Removed: Removed support for Python 2.
You have to upgrade to Python 3 if you want to use this version.
Dropped support for Python 3.3 and added support for Python 3.5, 3.6, 3.7 and PyPy 3.6.
Make Python 3.7 the default testing environment.
Add integration for the Black code formatter.
We now use virtualenv and pip instead of buildout to set up the development environment. A development section has been added to the README accordingly.
Upgrade to Morepath 0.15.
Add testenv for Python 3.5 and make it the default test environment.
Change author to “Morepath developers”.
Clean up classifiers.
Upgrade to Morepath 0.14.
Some minor improvements to the buildout setup workflow.
Extract Basic Auth from Morepath.
Return NO_IDENTITY instead of None, if user cannot identify.
Replace class ‘app’ with ‘App’ in tests.
Add a login test.
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Hashes for more.basicauth-0.5-py2.py3-none-any.whl