On Monday, November 20, 2017 at 3:08:56 PM UTC-8, Val K wrote: > > > Hi, you can use requests.Session: > > #in default > session = requests.Session() >
session is an already-defined global. > url_login = 'http://..../api/login.json' > Shouldn't you be using the URL helper? For my setup, I tried 'URL("user/login",scheme="https", host=True)' since I don't have a second controller where I'm testing, and the default/user/login is the normal method for me. #requests.packages.urllib3.disable_warnings() # - uncomment if you use a self-signed > cert over https > r = session.get(url_login, verify=True) #set verify=False if you use a > self-signed > cert over https > > I'm not sure about this. As is, it produces a ticket for "get() takes no keyword arguments". Taking out the verify, I get a result of 'None'. That doesn't seem to be useful to me. /dps > form = dict( username = 'user', password = 'password') > r = session.post(url_login, data = form) > if r.status_code==200: #server OK > response_data = json.loads(r.text) > logged_in = 'logged_in' in response_data.keys() > # if logged_in == True - session is authorized, so use > session.post/get ... to request api > > > #in api > @request.restful() > def login(): > response.view = 'generic.json' > user = request.vars.username > password = request.vars.password > if auth.login_bare(user, password): > return dict(logged_in = 'yes') > > # auth.requires_login() redirects to login form, but it's redundant for > api > # instead of auth.requires_login() you can write your own simple decorator: > def api_requires_login(f): > if auth.is_logged_in(): > return f > raise HTTP(401) # or return something > > > > > > > > > > > > On Tuesday, November 14, 2017 at 8:05:36 PM UTC+3, Carlos A. Armenta > Castro wrote: >> >> Hola Leandro, te escribo en español porque al ver tu nombre me parece que >> hablas castellano, corrigeme si me equivoco y te lo escribo en ingles, >> >> >> >> El lunes, 13 de noviembre de 2017, 7:14:00 (UTC-7), Leandro Sebastian >> Salgueiro escribió: >> >> I added then the requires_login to api controller and then i test both >>> URLs independently from browser, it works ok (login to web2py -> go to >>> /api/apps -> get my results) however if I do the GET request using >>> requests.get from default controller i get a* Non Authorized *message >>> and redirect to login form. >>> >> >> En este caso en tu código: >> >> def index(): >> import requests >> json = requests.get(URL('api', 'apps', host=True)) >> >> >> Lo que haces es iniciar otra sesión en tu misma APP pero no le estás >> enviando las credenciales para el Login, yo entiendo que cada ves que >> invocas a requests creas una nueva sesión entonces tienes que hacer Login >> cada vez. >> >> Me parece un poco extraño lo que haces en tu código porque si ya estás >> firmado no se porque buscas firmarte nuevamente. Te recomiendo abordar el >> problema de una manera distinta. Web2Py es Roca Solida en cuando a >> seguridad, no deberías preocuparte por problemas de seguridad una vez que >> ya estás firmado en tu App. >> >> Si necesitas seguridad Extra para tu APP, entonces te recomiendo usar JWT >> Tokens con Web2Py http://web2py.readthedocs.io/en/latest/tools.html >> >> jwt()[source] >>> <http://web2py.readthedocs.io/en/latest/_modules/gluon/tools.html#Auth.jwt> >>> >>> To use JWT authentication: 1) instantiate auth with: >>> >>> auth = Auth(db, jwt = {'secret_key':'secret'}) >>> >>> where ‘secret’ is your own secret string. >>> >>> 1. >>> >>> Decorate functions that require login but should accept the JWT >>> token credentials: >>> >>> @auth.allows_jwt()@auth.requires_login()def myapi(): return 'hello %s' % >>> auth.user.email >>> >>> >>> Notice jwt is allowed but not required. if user is logged in, myapi is >>> accessible. >>> >>> 1. Use it! >>> >>> Now API users can obtain a token with >>> >>> http://.../app/default/user/jwt?username=...&password=.... >>> >>> (returns json object with a token attribute) API users can refresh an >>> existing token with >>> >>> http://.../app/default/user/jwt?token=... >>> >>> they can authenticate themselves when calling http:/.../myapi >>> <http://web2py.readthedocs.io/.../myapi> by injecting a header >>> >>> Authorization: Bearer <the jwt token> >>> >>> Saludos y suerte con tu APP. >> >> HI, >>> >>> I have two controllers on the same app: >>> >>> TestApp >>> | >>> |---default.py >>> |---api.py >>> >>> api is a restful service that will call other services. For security >>> reasons I would like that all call to these services are passed by the api >>> restful. (it will work like a proxy in this case) >>> >>> I did try the following : >>> >>> in default.py : >>> >>> @auth.requires_login() >>> def index(): >>> import requests >>> json = requests.get(URL('api', 'apps', host=True)) >>> return {"json": json.content} >>> >>> >>> in api.py: >>> >>> import requests >>> apps_url = 'http://localhost:8091/apps' >>> >>> >>> @auth.requires_login() >>> >>> @request.restful() >>> def apps(): >>> response.view = 'generic.json' >>> def GET(*args,**vars): >>> r = requests.get(apps_url) >>> return r >>> return dict(GET=GET) >>> >>> >>> If i test this without the api's login decorator everything works fine. >>> However I can access this restful from anywhere else... >>> I added then the requires_login to api controller and then i test both >>> URLs independently from browser, it works ok (login to web2py -> go to >>> /api/apps -> get my results) however if I do the GET request using >>> requests.get from default controller i get a* Non Authorized *message >>> and redirect to login form. >>> >>> what i'm missing here? i thought that if I was in the same app, auth >>> session would be shared among different controllers... >>> >>> any hint on this would be the most welcomed.. >>> Thanks in advanced. >>> Leandro >>> >>> >>> >>> -- Resources: - http://web2py.com - http://web2py.com/book (Documentation) - http://github.com/web2py/web2py (Source code) - https://code.google.com/p/web2py/issues/list (Report Issues) --- You received this message because you are subscribed to the Google Groups "web2py-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to web2py+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
