Thanks Anthony, All,
I know that what I'm trying to do here is kind of twisted ..
I have a quite complex structure of microservices on backend that needs to
be accessed by Frontend. my final idea (at the end of the project) is to
use JWT on every microservice but in the meanwhile (as i need a basic
protection for beta testers) i was hoping to have a second controller
working as a proxy and let web2py to handle auth.
in an ideal world :-) i was thinking that API will share auth with default
controller, as it is part of the same app, so if user is logged in it can
use the API to make calls to the other endpoints... (in this way only
web2py is exposed and i keep the other microservices protected inside the
LAN).
By the way when i try each controller from browser it works ok... the
problem is the communication between controllers.. but after all these
explanations i have a much better view of what is going on..
it seems now that my "quick" workaround was not that simple (unless there
is a magical solution somewhere) and is easier to direclty implement JWT on
all my microservices and frontend.
thanks a lot for all these comments...
BR
Leandro
Le mardi 21 novembre 2017 13:47:40 UTC+1, Anthony a écrit :
>
> What are you really trying to do? Is the API simply being called from the
> browser, or are other types of clients calling it? If that latter, you
> might look into using JWT auth, as session based authentication doesn't
> work well for non-browser clients unless you get them to maintain a session
> by passing the session cookie back and forth. If the only client is the
> browser, just have it make Ajax calls directly to the API endpoints -- no
> reason to pass requests through an endpoint in another controller.
>
> Anthony
>
> On Monday, November 13, 2017 at 9:14:00 AM UTC-5, Leandro Sebastian
> Salgueiro wrote:
>>
>> HI,
>>
>> I have two controllers on the same app:
>>
>> TestApp
>> |
>> |---default.py
>> |---api.py
>>
>> api is a restful service that will call other services. For security
>> reasons I would like that all call to these services are passed by the api
>> restful. (it will work like a proxy in this case)
>>
>> I did try the following :
>>
>> in default.py :
>>
>> @auth.requires_login()
>> def index():
>> import requests
>> json = requests.get(URL('api', 'apps', host=True))
>> return {"json": json.content}
>>
>>
>> in api.py:
>>
>> import requests
>> apps_url = 'http://localhost:8091/apps'
>>
>>
>> @auth.requires_login()
>>
>> @request.restful()
>> def apps():
>> response.view = 'generic.json'
>> def GET(*args,**vars):
>> r = requests.get(apps_url)
>> return r
>> return dict(GET=GET)
>>
>>
>> If i test this without the api's login decorator everything works fine.
>> However I can access this restful from anywhere else...
>> I added then the requires_login to api controller and then i test both
>> URLs independently from browser, it works ok (login to web2py -> go to
>> /api/apps -> get my results) however if I do the GET request using
>> requests.get from default controller i get a* Non Authorized *message
>> and redirect to login form.
>>
>> what i'm missing here? i thought that if I was in the same app, auth
>> session would be shared among different controllers...
>>
>> any hint on this would be the most welcomed..
>> Thanks in advanced.
>> Leandro
>>
>>
>>
>>
--
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
---
You received this message because you are subscribed to the Google Groups
"web2py-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to web2py+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
