Hey Mark, I did finish this, although it's been some time since I've looked into the code for the mobile-related stuff. Most of it still makes sense to me
On Friday, October 10, 2014 1:31:09 PM UTC-7, Mark Graves wrote: > > Did you ever finish this? > > I implemented something similar. > > I'd love to collaborate and get a repo up for working with mobile devices > with web2py as an app back end. > > On Sunday, January 6, 2013 11:43:05 AM UTC-6, dlypka wrote: >> >> If you mimic the same http traffic that a browser would generate, then of >> course you will get all the normal web2py functionality such as the session. >> >> The web2py session is usually stored in the database which means it can >> store a large amount of data without the size limits of cookie storage. And >> it will persist between requests. >> >> On Friday, January 4, 2013 6:19:14 PM UTC-6, Mark Li wrote: >>> >>> Would it be necessary to connect to the same web2py session? >>> >>> To my understanding, connecting to the same session would be necessary >>> if the session contained Auth information indicating whether or not a user >>> was logged in. However, using auth.login_bare(), I only return a token on >>> login success, and the Auth information is never stored in session. Only >>> the token would be used to check whether or not a user was authenticated, >>> as this info is not stored in session. >>> >>> The login/authentication from Android would only be used for API calls, >>> and not for browsing the site. In the 'tokens' table, there would be >>> information about the user that would be similar to the Auth info stored in >>> session. When the token is passed to web2py, it would return the same >>> information that would normally be stored in session about the user. >>> >>> Thanks again for your help and checking my logic, I'm still pretty new >>> to this! >>> >>> On Thursday, January 3, 2013 7:57:45 PM UTC-8, dlypka wrote: >>>> >>>> But are you reconnecting to the same web2py session on each request? >>>> >>>> On Thursday, January 3, 2013 3:20:01 PM UTC-6, Mark Li wrote: >>>>> >>>>> I reviewed your code again and looked into the source code for web2py >>>>> to see how web2py deals with session login cookies. >>>>> >>>>> For what I want to accomplish, I believe I have found a method which >>>>> does not involved changing web2py source code. It's simpler and more >>>>> straight forward for me to wrap my head around (also not having to worry >>>>> about storing cookies in the app). Please let me know if there's anything >>>>> important I am missing or security flaws that I should consider. >>>>> >>>>> >>>>> 1. Embed webview into native Android app, using auth.login_bare to >>>>> authenticate. >>>>> 2. On login success, return a token of similar format to web2py's >>>>> session cookies. >>>>> 3. Store this token in the database (in a table named 'tokens'), and >>>>> send back to Android app as a cookie >>>>> 4. For every request to my web service that requires authentication, >>>>> send the token as a cookie and have the receiving API controller function >>>>> extract the cookie/token. If the token is currently in the db.tokens, >>>>> then >>>>> the user has been authenticated and the request returns the appropriate >>>>> data. >>>>> 5. On logout/password change, delete the issued tokens for this user >>>>> from db.tokens, so the same token can't be used to authenticate for >>>>> future >>>>> api calls. >>>>> >>>>> On Tuesday, January 1, 2013 10:33:26 PM UTC-8, dlypka wrote: >>>>>> >>>>>> I was not precisely calling from a native Android or native IOS app. >>>>>> I was using a PhoneGap client, which is different. It is looks like a >>>>>> web browser but is not a browser client. >>>>>> PhoneGap can only use HTML5 storage unless you write a native Android >>>>>> / IOS PhoneGap extension/plugin. >>>>>> So my technique will work from almost any client platform, even from >>>>>> a Windows native client app for example >>>>>> as long as it uses HTTP. >>>>>> >>>>>> Also, in my tracing of how web2py handles the client connection, I >>>>>> believe I found a few wrinkles in the sequence of events >>>>>> which needed to be handled specially in this case where the client is >>>>>> not a web browser. >>>>>> >>>>>> In your particular case, if you have cookies in the native client, >>>>>> then that is one less problem to solve, >>>>>> You probably just have to mimic the HTTP messages that a browser >>>>>> would send. >>>>>> >>>>>> On Tuesday, January 1, 2013 5:19:50 PM UTC-6, Mark Li wrote: >>>>>>> >>>>>>> Thanks for the responses, and Happy New Years to you guys too! >>>>>>> >>>>>>> dlypka, for your cookieless solution, it assumes that the client app >>>>>>> can't store/extract tokens? In the Google Android link above, it says >>>>>>> that >>>>>>> both Android and iOS can read and extract the tokens/cookies. So when >>>>>>> the >>>>>>> Android app calls the Web2py app, wouldn't it just pass in the >>>>>>> cookie/token >>>>>>> and have Web2py verify it as it Web2py normally verifies session login >>>>>>> cookies? >>>>>>> >>>>>>> >>>>>>> >>>>>>> On Tuesday, January 1, 2013 9:07:16 AM UTC-8, Massimo Di Pierro >>>>>>> wrote: >>>>>>>> >>>>>>>> :-) >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> On Tuesday, 1 January 2013 10:45:47 UTC-6, dlypka wrote: >>>>>>>>> >>>>>>>>> Yes it is my New Year's Resolution to make time to put it in a >>>>>>>>> Slice. >>>>>>>>> >>>>>>>>> On Tuesday, January 1, 2013 10:35:49 AM UTC-6, Massimo Di Pierro >>>>>>>>> wrote: >>>>>>>>>> >>>>>>>>>> Perhaps this should go in a web2pyslice? >>>>>>>>>> >>>>>>>>>> On Monday, 31 December 2012 21:28:04 UTC-6, dlypka wrote: >>>>>>>>>>> >>>>>>>>>>> I developed a solution for this. >>>>>>>>>>> I posted it here: >>>>>>>>>>> >>>>>>>>>>> https://groups.google.com/forum/?fromgroups=#!topic/web2py/YVYQHRJmcos >>>>>>>>>>> >>>>>>>>>>> Happy New Year! >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> On Monday, December 31, 2012 4:38:40 PM UTC-6, Mark Li wrote: >>>>>>>>>>>> >>>>>>>>>>>> I am currently trying to authenticate users on an Android app >>>>>>>>>>>> to my Web2py application. I am not comfortable implementing this >>>>>>>>>>>> on my own >>>>>>>>>>>> without some guidance/advice, as I'm worried about the security of >>>>>>>>>>>> the >>>>>>>>>>>> login information becoming jeopardized. >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> I am following the guideline for authentication outlined by >>>>>>>>>>>> Google here: >>>>>>>>>>>> https://developers.google.com/accounts/docs/MobileApps >>>>>>>>>>>> >>>>>>>>>>>> Another outline of what how I'm trying to accomplish >>>>>>>>>>>> Authentication outlined here: >>>>>>>>>>>> http://stackoverflow.com/questions/7358715/authentication-model-for-android-application >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> The first step, and my question, is how I would generate a >>>>>>>>>>>> token to return to the Android app after the user has successfully >>>>>>>>>>>> logged >>>>>>>>>>>> in. It is suggested that this token be in the same format to what >>>>>>>>>>>> Web2py >>>>>>>>>>>> uses for session login cookies, except with a 'mobile' flag >>>>>>>>>>>> indicating the >>>>>>>>>>>> token can only be used for API calls, and doesn't have the short >>>>>>>>>>>> lifespan >>>>>>>>>>>> of a browser session. >>>>>>>>>>>> >>>>>>>>>>>> Any help would be greatly appreciated, as I haven't read too >>>>>>>>>>>> much about authentication to web2py from an Android app. >>>>>>>>>>>> >>>>>>>>>>> -- Resources: - http://web2py.com - http://web2py.com/book (Documentation) - http://github.com/web2py/web2py (Source code) - https://code.google.com/p/web2py/issues/list (Report Issues) --- You received this message because you are subscribed to the Google Groups "web2py-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to web2py+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
