Hi, you can use requests.Session: #in default session = requests.Session() url_login = 'http://..../api/login.json' #requests.packages.urllib3.disable_warnings() # - uncomment if you use a self-signed cert over https r = session.get(url_login, verify=True) #set verify=False if you use a self-signed cert over https
form = dict( username = 'user', password = 'password') r = session.post(url_login, data = form) if r.status_code==200: #server OK response_data = json.loads(r.text) logged_in = 'logged_in' in response_data.keys() # if logged_in == True - session is authorized, so use session.post/get ... to request api #in api @request.restful() def login(): response.view = 'generic.json' user = request.vars.username password = request.vars.password if auth.login_bare(user, password): return dict(logged_in = 'yes') # auth.requires_login() redirects to login form, but it's redundant for api # instead of auth.requires_login() you can write your own simple decorator: def api_requires_login(f): if auth.is_logged_in(): return f raise HTTP(401) # or return something On Tuesday, November 14, 2017 at 8:05:36 PM UTC+3, Carlos A. Armenta Castro wrote: > > Hola Leandro, te escribo en español porque al ver tu nombre me parece que > hablas castellano, corrigeme si me equivoco y te lo escribo en ingles, > > > > El lunes, 13 de noviembre de 2017, 7:14:00 (UTC-7), Leandro Sebastian > Salgueiro escribió: > > I added then the requires_login to api controller and then i test both >> URLs independently from browser, it works ok (login to web2py -> go to >> /api/apps -> get my results) however if I do the GET request using >> requests.get from default controller i get a* Non Authorized *message >> and redirect to login form. >> > > En este caso en tu código: > > def index(): > import requests > json = requests.get(URL('api', 'apps', host=True)) > > > Lo que haces es iniciar otra sesión en tu misma APP pero no le estás > enviando las credenciales para el Login, yo entiendo que cada ves que > invocas a requests creas una nueva sesión entonces tienes que hacer Login > cada vez. > > Me parece un poco extraño lo que haces en tu código porque si ya estás > firmado no se porque buscas firmarte nuevamente. Te recomiendo abordar el > problema de una manera distinta. Web2Py es Roca Solida en cuando a > seguridad, no deberías preocuparte por problemas de seguridad una vez que > ya estás firmado en tu App. > > Si necesitas seguridad Extra para tu APP, entonces te recomiendo usar JWT > Tokens con Web2Py http://web2py.readthedocs.io/en/latest/tools.html > > jwt()[source] >> <http://web2py.readthedocs.io/en/latest/_modules/gluon/tools.html#Auth.jwt> >> >> To use JWT authentication: 1) instantiate auth with: >> >> auth = Auth(db, jwt = {'secret_key':'secret'}) >> >> where ‘secret’ is your own secret string. >> >> 1. >> >> Decorate functions that require login but should accept the JWT token >> credentials: >> >> @auth.allows_jwt()@auth.requires_login()def myapi(): return 'hello %s' % >> auth.user.email >> >> >> Notice jwt is allowed but not required. if user is logged in, myapi is >> accessible. >> >> 1. Use it! >> >> Now API users can obtain a token with >> >> http://.../app/default/user/jwt?username=...&password=.... >> >> (returns json object with a token attribute) API users can refresh an >> existing token with >> >> http://.../app/default/user/jwt?token=... >> >> they can authenticate themselves when calling http:/.../myapi >> <http://web2py.readthedocs.io/.../myapi> by injecting a header >> >> Authorization: Bearer <the jwt token> >> >> Saludos y suerte con tu APP. > > HI, >> >> I have two controllers on the same app: >> >> TestApp >> | >> |---default.py >> |---api.py >> >> api is a restful service that will call other services. For security >> reasons I would like that all call to these services are passed by the api >> restful. (it will work like a proxy in this case) >> >> I did try the following : >> >> in default.py : >> >> @auth.requires_login() >> def index(): >> import requests >> json = requests.get(URL('api', 'apps', host=True)) >> return {"json": json.content} >> >> >> in api.py: >> >> import requests >> apps_url = 'http://localhost:8091/apps' >> >> >> @auth.requires_login() >> >> @request.restful() >> def apps(): >> response.view = 'generic.json' >> def GET(*args,**vars): >> r = requests.get(apps_url) >> return r >> return dict(GET=GET) >> >> >> If i test this without the api's login decorator everything works fine. >> However I can access this restful from anywhere else... >> I added then the requires_login to api controller and then i test both >> URLs independently from browser, it works ok (login to web2py -> go to >> /api/apps -> get my results) however if I do the GET request using >> requests.get from default controller i get a* Non Authorized *message >> and redirect to login form. >> >> what i'm missing here? i thought that if I was in the same app, auth >> session would be shared among different controllers... >> >> any hint on this would be the most welcomed.. >> Thanks in advanced. >> Leandro >> >> >> >> -- Resources: - http://web2py.com - http://web2py.com/book (Documentation) - http://github.com/web2py/web2py (Source code) - https://code.google.com/p/web2py/issues/list (Report Issues) --- You received this message because you are subscribed to the Google Groups "web2py-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to web2py+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.