how shall we implement the login functionality with python

 

I understand python-eve support HMAC or token based authentication ie including the token or hash in the header for each request. however how shall we implement login in the first place ie the process we verify username and password before we provide them the token/hmac hash? shall we just accept an new route method like below and read the db directly or there is better way to do that? 

app.route('/login', methods['POST'])

Ideally user ids, secret keys and tokens are provided through some out-of-band technique eg, an e-mail, plain old paper, a webpage (not advisable). The client will use the supplied secret key to sign all requests.

Logins do not belong to REST services, which are stateless by definition (they don't store the state of the client, that's why you authenticate on every single request.)

My advice is to handle user registration on a different service/website than the API itself. In any case, make sure that the token/userid/secret key is being sent out-of-band. Man-in-the-middle attacks and the like could spoof the secret key, then use it to sign API requests on behalf of the intended client.

To properly implement token based authentication, ideally, you need to have an Identity Provider (IdP) to which you authenticate and returns a valid token (time limited) that you can then use in the Service Providers (ie your API) that trust the IdP.

This said, I guess you could do an initial basic auth as supported by Eve, and return a token that your client will use in subsequent requests. In my view, the security benefit would be that the credentials are vulnerable during the initial request only instead of on every single request. The drawback is that the IdP and the SP would be one and the same.

You can read more about token auth here:

  • http://www.w3.org/2001/sw/Europe/events/foaf-galway/papers/fp/token_based_authentication/
  • What is token based authentication?

    • Hope it helps.

    链接地址: http://www.djcxy.com/p/22004.html

    上一篇: 如何使用访问/授权令牌?

    下一篇: 我们应该如何使用python实现登录功能