Use multiple authentication policies with pyramid
Project description
Pyramid authentication stack
The pyramid_authstack package makes it possible to stack multiple authentication policies in a pyramid project. This can be useful in several scenarios:
You need to be able to identify a user for a long period of time, while requiting a recent login to access personal information. Amazon is an example of a site doing this.
You want to send a newsletter to users and log the user in automatically when they follow a link in the newsletter, but not give automatically give them access to sensitive information.
Confusing a multi-authentication policy is simple: create an instance of the AuthenticationStackPolicy object, add the authentication policies you want to it and then tell Pyramid to use it.
from pyramid.authentication import AuthTktAuthenticationPolicy from pyramid_authstack import AuthenticationStackPolicy auth_policy = AuthenticationStackPolicy() # Add an authentication policy with a one-hour timeout to control # access to sensitive information. auth_policy.add_policy( 'sensitive', AuthTktAuthenticationPolicy('secret', timeout=60 * 60)) # Add a second authentication policy with a one-year timeout so # we can identify the user. auth_policy.add_policy( 'identity', AuthTktAuthenticationPolicy('secret', timeout=60 * 60 * 24 * 365)) config.set_authentication_policy(auth_policy)
The name used for the sub-policy (sensitive and identity in the example above) will be added to the principals if the sub-policy can authenticate the user. This makes it very easy to check which authentication policies matched in an ACL:
class MyModel(object): # Only allow access if user authenticated recently. __acl__ = [(Allow, 'auth:sensitive', 'view')]
When you call remember() or forget() all sub-policies will be trigged. You can filter the list of policies used by adding a policies parameter. A use case where this is important is a user coming to the site via a link in a newsletter: in that scenario you can identify the user, but do not want to give access to sensitive information without asking for extra credentials.
from pyramid.security import remember # Only set identity-authentication. headers = remember(request, 'chrism', policies=['identity'])
Comparison to pyramid_multiauth
Mozilla has a similar project: pyramid_multiauth. There are a few difference between that package and this one:
pyramid_multiauth has no way to indicate which authentication policy matched, which makes it unusable for my uses causes unless you always use custom authentication sub-policies which add custom an extra principal. This could be fixed, but it would require changing the API in a non-backward compatible way.
pyramid_multiauth duplicates some of the callback-handling code instead of reusing pyramid’s CallbackAuthenticationPolicy.
pyramid_multiauth allows configuration via the PasteDeploy .ini file, which pyramid_authstack does not support.
Changelog
1.0.1 - August 10, 2013
Fix use of obsolete naming in the README.
Add callback parameter to constructor.
1.0.0 - August 10, 2013
First release.
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
File details
Details for the file pyramid_authstack-1.0.1.tar.gz
.
File metadata
- Download URL: pyramid_authstack-1.0.1.tar.gz
- Upload date:
- Size: 5.2 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
File hashes
Algorithm | Hash digest | |
---|---|---|
SHA256 | 039a291588f99a00585f145deca40a48ba23194aa2582e4f244d5da98303cad3 |
|
MD5 | 8e199862b5a5cd6385f7d5209cee2f12 |
|
BLAKE2b-256 | 014be84cb8fda19f0f03f96231195fd074212b9291f732aa07f90edcfb21ff34 |