Did you ever finish this? I implemented something similar.
I'd love to collaborate and get a repo up for working with mobile devices with web2py as an app back end. On Sunday, January 6, 2013 11:43:05 AM UTC-6, dlypka wrote: > > If you mimic the same http traffic that a browser would generate, then of > course you will get all the normal web2py functionality such as the session. > > The web2py session is usually stored in the database which means it can > store a large amount of data without the size limits of cookie storage. And > it will persist between requests. > > On Friday, January 4, 2013 6:19:14 PM UTC-6, Mark Li wrote: >> >> Would it be necessary to connect to the same web2py session? >> >> To my understanding, connecting to the same session would be necessary if >> the session contained Auth information indicating whether or not a user was >> logged in. However, using auth.login_bare(), I only return a token on login >> success, and the Auth information is never stored in session. Only the >> token would be used to check whether or not a user was authenticated, as >> this info is not stored in session. >> >> The login/authentication from Android would only be used for API calls, >> and not for browsing the site. In the 'tokens' table, there would be >> information about the user that would be similar to the Auth info stored in >> session. When the token is passed to web2py, it would return the same >> information that would normally be stored in session about the user. >> >> Thanks again for your help and checking my logic, I'm still pretty new to >> this! >> >> On Thursday, January 3, 2013 7:57:45 PM UTC-8, dlypka wrote: >>> >>> But are you reconnecting to the same web2py session on each request? >>> >>> On Thursday, January 3, 2013 3:20:01 PM UTC-6, Mark Li wrote: >>>> >>>> I reviewed your code again and looked into the source code for web2py >>>> to see how web2py deals with session login cookies. >>>> >>>> For what I want to accomplish, I believe I have found a method which >>>> does not involved changing web2py source code. It's simpler and more >>>> straight forward for me to wrap my head around (also not having to worry >>>> about storing cookies in the app). Please let me know if there's anything >>>> important I am missing or security flaws that I should consider. >>>> >>>> >>>> 1. Embed webview into native Android app, using auth.login_bare to >>>> authenticate. >>>> 2. On login success, return a token of similar format to web2py's >>>> session cookies. >>>> 3. Store this token in the database (in a table named 'tokens'), and >>>> send back to Android app as a cookie >>>> 4. For every request to my web service that requires authentication, >>>> send the token as a cookie and have the receiving API controller function >>>> extract the cookie/token. If the token is currently in the db.tokens, then >>>> the user has been authenticated and the request returns the appropriate >>>> data. >>>> 5. On logout/password change, delete the issued tokens for this user >>>> from db.tokens, so the same token can't be used to authenticate for future >>>> api calls. >>>> >>>> On Tuesday, January 1, 2013 10:33:26 PM UTC-8, dlypka wrote: >>>>> >>>>> I was not precisely calling from a native Android or native IOS app. >>>>> I was using a PhoneGap client, which is different. It is looks like a >>>>> web browser but is not a browser client. >>>>> PhoneGap can only use HTML5 storage unless you write a native Android >>>>> / IOS PhoneGap extension/plugin. >>>>> So my technique will work from almost any client platform, even from a >>>>> Windows native client app for example >>>>> as long as it uses HTTP. >>>>> >>>>> Also, in my tracing of how web2py handles the client connection, I >>>>> believe I found a few wrinkles in the sequence of events >>>>> which needed to be handled specially in this case where the client is >>>>> not a web browser. >>>>> >>>>> In your particular case, if you have cookies in the native client, >>>>> then that is one less problem to solve, >>>>> You probably just have to mimic the HTTP messages that a browser would >>>>> send. >>>>> >>>>> On Tuesday, January 1, 2013 5:19:50 PM UTC-6, Mark Li wrote: >>>>>> >>>>>> Thanks for the responses, and Happy New Years to you guys too! >>>>>> >>>>>> dlypka, for your cookieless solution, it assumes that the client app >>>>>> can't store/extract tokens? In the Google Android link above, it says >>>>>> that >>>>>> both Android and iOS can read and extract the tokens/cookies. So when >>>>>> the >>>>>> Android app calls the Web2py app, wouldn't it just pass in the >>>>>> cookie/token >>>>>> and have Web2py verify it as it Web2py normally verifies session login >>>>>> cookies? >>>>>> >>>>>> >>>>>> >>>>>> On Tuesday, January 1, 2013 9:07:16 AM UTC-8, Massimo Di Pierro wrote: >>>>>>> >>>>>>> :-) >>>>>>> >>>>>>> >>>>>>> >>>>>>> On Tuesday, 1 January 2013 10:45:47 UTC-6, dlypka wrote: >>>>>>>> >>>>>>>> Yes it is my New Year's Resolution to make time to put it in a >>>>>>>> Slice. >>>>>>>> >>>>>>>> On Tuesday, January 1, 2013 10:35:49 AM UTC-6, Massimo Di Pierro >>>>>>>> wrote: >>>>>>>>> >>>>>>>>> Perhaps this should go in a web2pyslice? >>>>>>>>> >>>>>>>>> On Monday, 31 December 2012 21:28:04 UTC-6, dlypka wrote: >>>>>>>>>> >>>>>>>>>> I developed a solution for this. >>>>>>>>>> I posted it here: >>>>>>>>>> >>>>>>>>>> https://groups.google.com/forum/?fromgroups=#!topic/web2py/YVYQHRJmcos >>>>>>>>>> >>>>>>>>>> Happy New Year! >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> On Monday, December 31, 2012 4:38:40 PM UTC-6, Mark Li wrote: >>>>>>>>>>> >>>>>>>>>>> I am currently trying to authenticate users on an Android app to >>>>>>>>>>> my Web2py application. I am not comfortable implementing this on my >>>>>>>>>>> own >>>>>>>>>>> without some guidance/advice, as I'm worried about the security of >>>>>>>>>>> the >>>>>>>>>>> login information becoming jeopardized. >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> I am following the guideline for authentication outlined by >>>>>>>>>>> Google here: >>>>>>>>>>> https://developers.google.com/accounts/docs/MobileApps >>>>>>>>>>> >>>>>>>>>>> Another outline of what how I'm trying to accomplish >>>>>>>>>>> Authentication outlined here: >>>>>>>>>>> http://stackoverflow.com/questions/7358715/authentication-model-for-android-application >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> The first step, and my question, is how I would generate a token >>>>>>>>>>> to return to the Android app after the user has successfully logged >>>>>>>>>>> in. It >>>>>>>>>>> is suggested that this token be in the same format to what Web2py >>>>>>>>>>> uses for >>>>>>>>>>> session login cookies, except with a 'mobile' flag indicating the >>>>>>>>>>> token can >>>>>>>>>>> only be used for API calls, and doesn't have the short lifespan of >>>>>>>>>>> a >>>>>>>>>>> browser session. >>>>>>>>>>> >>>>>>>>>>> Any help would be greatly appreciated, as I haven't read too >>>>>>>>>>> much about authentication to web2py from an Android app. >>>>>>>>>>> >>>>>>>>>> -- Resources: - http://web2py.com - http://web2py.com/book (Documentation) - http://github.com/web2py/web2py (Source code) - https://code.google.com/p/web2py/issues/list (Report Issues) --- You received this message because you are subscribed to the Google Groups "web2py-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to web2py+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
