apicrud.session_auth

session_auth

created 26-mar-2020 by richb@instantlinux.net

Functions

api_key(apikey[, required_scopes])

API key authentication

basic(username, password[, required_scopes])

This is a modified basic-auth validation function.

Classes

SessionAuth([func_send])

Session Authorization

class apicrud.session_auth.SessionAuth(func_send=None)

Session Authorization

Functions for login, password and role authorization

Parameters

func_send (function) – name of function for sending message

account_login(username, password, roles_from=None)

Log in with username or email

Parameters
  • username (str) – account name or email

  • password (str) – credential

  • identity_from (obj) – model from which to find contact info

  • roles_from (obj) – model for which to look up authorizations

Returns

Fields include jwt_token (contains uid / account ID), ID of entry in settings database, and a sub-dictionary with mapping of endpoints registered to microservices

Return type

dict

api_access(apikey, roles_from=None)

Access using API key

Parameters
  • apikey (str) – the API key

  • roles_from (obj) – model for which to look up authorizations

Returns

uid, scopes (None if not authorized)

Return type

dict

change_password(uid, new_password, reset_token, old_password=None, verify_password=None)

Update a user’s password, applying complexity rules; must specify either the old password or a reset token

Parameters
  • uid (str) – User ID

  • new_password (str) – the new passphrase

  • reset_token (str) – a token retrieved from Confirmation.request

  • old_password (str) – the old passphrase

Returns

dict with account_id/uid/username, http response

Return type

tuple

forgot_password(identity, username, template='password_reset')

Trigger Confirmation.request; specify either the username or email address

Parameters
  • identity (str) – account’s primary identity, usually an email

  • username (str) – account’s username

  • template (str) – template for message (confirming new user)

Returns

the Confirmation.request dict and http response

Return type

tuple

get_roles(uid, member_model, resource=None, id=None)

Get roles that match uid / id for a resource Each is in the form <resource>-<id>-<privacy level>

Parameters
  • uid (str) – User ID

  • member_model (obj) – the DB model that defines membership in resource

  • resource (str) – the resource that defines privacy (e.g. list)

  • id (str) – ID of the resource (omit if all are desired)

Returns

authorized roles

Return type

list of str

register(identity, username, name, template='confirm_new')

Register a new account: create related records in database and send confirmation token to new user

TODO caller still has to invoke account-create function to generate record in accounts table

Parameters
  • identity (str) – account’s primary identity, usually an email

  • username (str) – account’s username

  • name (str) – name

  • template (str) – template for message (confirming new user)

Returns

the Confirmation.request dict and http response

Return type

tuple

update_auth(member_model, id, resource=None, force=False)

Check current access, update if recently changed

Parameters
  • member_model (obj) – model (e.g. Guest) which defines membership in resource

  • id (str) – resource id of parent resource

  • resource (str) – parent resource for which membership should be checked

  • force (bool) – perform update regardless of logged-in permissions

apicrud.session_auth.api_key(apikey, required_scopes=None)

API key authentication

Parameters
  • apikey (str) – the key

  • required_scopes (list) – permissions requested

Returns

uid if successful (None otherwise)

Return type

dict

apicrud.session_auth.basic(username, password, required_scopes=None)

This is a modified basic-auth validation function. The auth login controller method generates a random 8-byte token, stores it in the session_manager object as token_auth, and sends it to javascript authProvider. The dataProvider must send it back to us as basic-auth (base64-encoded).

Vulnerable to session-hijacking if auth packets aren’t encrypted end to end, but “good enough” until OAuth2 effort is completed.

Implemented because of https://github.com/zalando/connexion/issues/791

Parameters
  • username (str) – Session UID

  • password (str) – Session token

  • required_scopes (list) – not used

Returns

uid with the username passed in

Return type

dict