[web2py] Re: How to control authorization to REST api

2015-05-31 Thread horridohobbyist 
I figured out what was wrong. It all comes down to CORS – CORS and user 
authentication are quite braindead 
(http://stackoverflow.com/questions/21850454/how-to-make-xmlhttprequest-cross-domain-withcredentials-http-authorization-cor).
 
I decided to bypass all this CORS shit and do my own user authorization. 
Works like a charm.


On Saturday, 30 May 2015 19:18:20 UTC-4, horridohobbyist wrote:

 I tried this decorator, too:

 auth.settings.allow_basic_login = True
 @auth.requires_login()

 jQuery still chokes on user authorization. Moreover, it tries to redirect 
 you to a login page, which in my case is not applicable.


 On Saturday, 30 May 2015 14:32:24 UTC-4, horridohobbyist wrote:

 I'm trying to implement a REST api. I've coded the following:

 @request.restful()
 def api():
 response.view = 'generic.json'
 # curl -k --user tyr...@yahoo.ca:Lannister -G -d var1=something1 
 -d var2=something2
 # 
 https://miramar21.com/tut_server/default/api/verify/person/:usr/:pwd
 # https://miramar21.com/tut_server/default/api/add/person
 # https://miramar21.com/tut_server/default/api/update/person/:id
 def GET(*args,**vars):
 auth.basic()
 if not auth.user:
 return dict(unauthorized=True)
 try:
 if args[0] == 'verify':
 if len(args)  3:
 table_name = args[1]
 usr = args[2]
 pwd = args[3]
 alg = 'pbkdf2(1000,20,sha512)'
 hash = str(CRYPT(digest_alg=alg,salt=False)(pwd)[0])
 row = db(db[table_name].email==usr).select().first()
 if row:
 status = True if row.password == hash else False
 return dict(verified=status,id=row.id)
 return locals()
 if args[0] == 'add':
 if len(args)  1:
 table_name = args[1]
 return db[table_name].validate_and_insert(**vars)
 return locals()
 if args[0] == 'update':
 if len(args)  2:
 table_name = args[1]
 record_id = args[2]
 return db(db[table_name]._id==record_id).
 validate_and_update(**vars)
 return locals()
 except:
 return dict(fatal=True)
 return locals()
 return locals()

 I have a feeling that I'm not doing user authorization for the REST api 
 correctly, although the following cURL command works fine:

 curl -k --user tyr...@yahoo.ca:Lannister https://
 miramar21.com/tut_server/default/api/verify/person/james.b...@outlook.com/Prometheus

 When I try to use jQuery ajax to perform the same operation, it chokes on 
 the user authorization, whether I use JS headers or beforeSend. So I 
 suspect I'm doing something wrong. (But why is cURL working???)

 I just want to control user authorization as simply and cleanly as 
 possible.



-- 
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
--- 
You received this message because you are subscribed to the Google Groups 
web2py-users group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to web2py+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[web2py] Re: How to control authorization to REST api

2015-05-30 Thread horridohobbyist 
I tried this decorator, too:

auth.settings.allow_basic_login = True
@auth.requires_login()

jQuery still chokes on user authorization. Moreover, it tries to redirect 
you to a login page, which in my case is not applicable.


On Saturday, 30 May 2015 14:32:24 UTC-4, horridohobbyist wrote:

 I'm trying to implement a REST api. I've coded the following:

 @request.restful()
 def api():
 response.view = 'generic.json'
 # curl -k --user tyr...@yahoo.ca:Lannister -G -d var1=something1 -d 
 var2=something2
 # 
 https://miramar21.com/tut_server/default/api/verify/person/:usr/:pwd
 # https://miramar21.com/tut_server/default/api/add/person
 # https://miramar21.com/tut_server/default/api/update/person/:id
 def GET(*args,**vars):
 auth.basic()
 if not auth.user:
 return dict(unauthorized=True)
 try:
 if args[0] == 'verify':
 if len(args)  3:
 table_name = args[1]
 usr = args[2]
 pwd = args[3]
 alg = 'pbkdf2(1000,20,sha512)'
 hash = str(CRYPT(digest_alg=alg,salt=False)(pwd)[0])
 row = db(db[table_name].email==usr).select().first()
 if row:
 status = True if row.password == hash else False
 return dict(verified=status,id=row.id)
 return locals()
 if args[0] == 'add':
 if len(args)  1:
 table_name = args[1]
 return db[table_name].validate_and_insert(**vars)
 return locals()
 if args[0] == 'update':
 if len(args)  2:
 table_name = args[1]
 record_id = args[2]
 return db(db[table_name]._id==record_id).
 validate_and_update(**vars)
 return locals()
 except:
 return dict(fatal=True)
 return locals()
 return locals()

 I have a feeling that I'm not doing user authorization for the REST api 
 correctly, although the following cURL command works fine:

 curl -k --user tyr...@yahoo.ca:Lannister https://
 miramar21.com/tut_server/default/api/verify/person/james.b...@outlook.com/Prometheus

 When I try to use jQuery ajax to perform the same operation, it chokes on 
 the user authorization, whether I use JS headers or beforeSend. So I 
 suspect I'm doing something wrong. (But why is cURL working???)

 I just want to control user authorization as simply and cleanly as 
 possible.



-- 
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
--- 
You received this message because you are subscribed to the Google Groups 
web2py-users group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to web2py+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.