On Sunday, October 14, 2018 at 7:05:56 AM UTC-7, Jaime Sempere wrote:
>
> Hi,
>
> I have had a lot of problems to set up an API REST with basic auth, 
> finally I have used the next code, I left it here for anyone that may need 
> it:
>
> from gluon.serializers import json
> auth.settings.allow_basic_login = True
>
>
> @request.restful()
> def api():
>
>     response.view = 'generic.json'
>     response.headers["Access-Control-Allow-Origin"] = '*'
>     response.headers['Access-Control-Max-Age'] = 86400
>     response.headers['Access-Control-Allow-Headers'] = '*'
>     response.headers['Access-Control-Allow-Methods'] = '*'
>     response.headers['Access-Control-Allow-Credentials'] = 'true'
>
>     @auth.requires_login()
>     def GET(id):
>         return json(get_post_if_user_belongs_to_blog(id, auth))
>
>     @auth.requires_login()
>     def PUT(id, **fields):
>         return get_post_if_user_belongs_to_blog(id, 
> auth).update_record(**fields)
>
>     @auth.requires_login()
>     def POST(*args, **fields):
>         return db.posts.validate_and_insert(blog_id=auth.user.blog_id, 
> user_id=auth.user.id, **fields)
>
>     @auth.requires_login()
>     def DELETE(id):
>         get_post_if_user_belongs_to_blog(id, auth).delete_record()
>         return dict(action="deleted", status="ok", id=id)
>
>     def OPTIONS(args, **vars):
>         print 'doing post options'
>         headers = {"Access-Control-Allow-Origin": '*', 
> 'Access-Control-Max-Age': 86400,
>                    'Access-Control-Allow-Headers': '*', 
> 'Access-Control-Allow-Methods': '*',
>                    'Access-Control-Allow-Credentials': 'true'}
>         raise HTTP(200, **headers)
>
>     return locals()
>
>
> def get_post_if_user_belongs_to_blog(id, auth):
>     my_post = db.posts[id]
>     if my_post.blog_id != auth.user.blog_id:
>         return 'not authorized'
>     return my_post
>
>
> Forget about most part of the code and pay attention to annotations.
>
> Maybe I am not 100% right in all the approach, but this is what I have 
> needed:
>
> - OPTIONS need to be without authentication, so I have removed 
> @auth.requires_login from main methond (def api()) and I have annotated the 
> GET,PUT,POST and DELETE methods.
> - I have needed to set up headers on OPTIONS too, for avoiding CORS issues
>
> I hope that this can helps to anybody. I plan to move basic auth to JWT or 
> another auth method.
>
> Thanks!
>


Why is OPTIONS doing a raise HTTP if the status you're setting is 200?

/dps
 

-- 
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
--- 
You received this message because you are subscribed to the Google Groups 
"web2py-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to web2py+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to