IMHO token should not be restricted to a var... it should be also possible to use an header...
Performance-wise...as it is it's as bad as it could possibly be. 1) the extra table needs a solid unique=True on the token field: we don't want to do a full scan of that table for every request protected by the decorator...and we protect ourselves from colliding uuids. 2) why do we need 2 separate queries (one for the token, the other for the id ) ? Moreover, the grid embedded in manage_tokens is a quick - but dirty - way to manage those... There's no restrictions on the tokens that are generated (the whole table is exposed). Plus, it lacks any possibility of customization: given the abnormal abundance of arguments we added to grid initialization to accomodate zillions of users, I'd say it will pop up soon enough the need of passing something to that grid. We should expose an API to manage tokens, not a grid... On Sunday, June 28, 2015 at 4:56:35 PM UTC+2, Massimo Di Pierro wrote: > > There is a new feature in trunk. Support for native API tokens. > > To enable in models/db.py use: > > auth.define_tables(username=False, signature=False, api_tokens=True) > > > Then where appropriate replace > > @auth.requires_login() > > def test(): return 'hello %s' % auth.user.first_name > > with > > @auth.requires_login_or_token() > > def test(): return 'hello %s' % auth.user.first_name > > Now your users can go to > > http://..../welcome/default/user/manage_tokens > > create and expire tokens and call the decorated functions with > > http://..../welcome/default/test?_token=<one-of-the-tokens> > > > The token will give access to the function (test in the example) as if the > user were logged in. > > This will make it easier for you to create API for your app and delegate > to your users the job of creating and expiring their tokens. > > > This is an EXPERIMENTAL feature. It works but it may change. > > > Please test, and submit comments/suggestions. > > > Massimo > -- Resources: - http://web2py.com - http://web2py.com/book (Documentation) - http://github.com/web2py/web2py (Source code) - https://code.google.com/p/web2py/issues/list (Report Issues) --- You received this message because you are subscribed to the Google Groups "web2py-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to web2py+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.