apicrud.session_auth¶
session_auth
- Session Authorization
Functions for login, password and role authorization
created 26-mar-2020 by richb@instantlinux.net
Functions
|
API key authentication - not yet implemented |
|
This is a modified basic-auth validation function. |
|
Produce a conjunction of expressions joined by |
Classes
|
Role-based access control |
|
Functions for confirming ownership of online email/contact info |
|
Constants for apicrud methods |
|
Service registry |
|
Session Authorization |
|
The year, month and day arguments are required. |
|
These are keys in a user-provided dict; see the example/i18n_textstrings.py for how to assign string templates for messaging. |
|
This class implements the SHA256-Crypt password hash, and follows the password-hash-api. |
|
Difference between two datetime values. |
Exceptions
|
A database result was required but none was found. |
|
Wraps a DB-API OperationalError. |
-
class
apicrud.session_auth.
SessionAuth
(config=None, models=None, func_send=None)¶ Session Authorization
- Parameters
config (obj) – the config-file key-value object
models (obj) – the models file object
func_send (function) – name of function for sending message
-
account_login
(username, password, roles_from=None)¶ Log in with username or email
- Parameters
username (str) – account name or email
password (str) – credential
identity_from (obj) – model from which to find contact info
roles_from (obj) – model for which to look up authorizations
- Returns
Fields include jwt_token (contains uid / account ID), ID of entry in settings database, and a sub-dictionary with mapping of endpoints registered to microservices
- Return type
dict
-
change_password
(uid, new_password, reset_token, old_password=None)¶ Update a user’s password, applying complexity rules; must specify either the old password or a reset token
- Parameters
uid (str) – User ID
new_password (str) – the new passphrase
reset_token (str) – a token retrieved from Confirmation.request
old_password (str) – the old passphrase
- Returns
dict with account_id/uid/username, http response
- Return type
tuple
-
forgot_password
(identity, username)¶ Trigger Confirmation.request; specify either the username or email address
- Parameters
identity (str) – account’s primary identity, usual an email
username (str) – account’s username
- Returns
the Confirmation.request dict and http response
- Return type
tuple
-
get_roles
(uid, member_model, resource=None, id=None)¶ Get roles that match uid / id for a resource Each is in the form <resource>-<id>-<privacy level>
- Parameters
uid (str) – User ID
member_model (obj) – the DB model that defines membership in resource
resource (str) – the resource that defines privacy (e.g. list)
id (str) – ID of the resource (omit if all are desired)
- Returns
authorized roles
- Return type
list of str
-
update_auth
(member_model, id, resource=None, force=False)¶ Check current access, update if recently changed
- Parameters
member_model (obj) – model (e.g. Guest) which defines membership in resource
id (str) – resource id of parent resource
resource (str) – parent resource for which membership should be checked
force (bool) – perform update regardless of logged-in permissions
-
apicrud.session_auth.
api_key
(token, required_scopes=None)¶ API key authentication - not yet implemented
- Parameters
token (str) – the token
required_scopes (list) – permissions requested
-
apicrud.session_auth.
basic
(username, password, required_scopes=None)¶ This is a modified basic-auth validation function. The auth login controller method generates a random 8-byte token, stores it in the session_manager object as token_auth, and sends it to javascript authProvider. The dataProvider must send it back to us as basic-auth (base64-encoded).
Vulnerable to session-hijacking if auth packets aren’t encrypted end to end, but “good enough” until OAuth2 effort is completed.
Implemented because of https://github.com/zalando/connexion/issues/791
- Parameters
username (str) – Session UID
password (str) – Session token
required_scopes (list) – not used
- Returns
uid with the username passed in
- Return type
dict