开发者

Authentication on App Engine / Python / Django non-rel over JSON

I'm building a site on Google App Engine, running python and Django non-rel. Everything is working great for HTML and posting/reading data. But as I'm moving forward I'd like to do many of the updates with AJAX, and eventually also over mobile devices like Android and iPhone.

My pages use django non-rel and my login/logout authentication works great for the HTML. But update information sent over JSON would have to be authenticated that the user can make the changes. I see how doing authentication for just AJAX calls wouldn't be too difficult since your still hitting the website, but what about when throwing in开发者_StackOverflow mobile phone authentication?

So I'm new to this, where do I start?

How can I set up services on gae so I can do authenticated CRUD operations? Ideally I'd like to use the exact same REST services for ajax, android, etc.


Python makes this pretty easy, you can just create a decorator method of checking the auth and add the decorator to any method requiring auth credentials.

def admin(handler_method):
  """
  This decorator requires admin, 403 if not.
  """
  def auth_required(self, *args, **kwargs):
    if users.is_current_user_admin():
      handler_method(self, *args, **kwargs)
    else:
      self.error(403)
  return auth_required

...

@admin
def crudmethod_update(self, *args, **kwargs):
  ...

Mind you, this assumes a few things about how you are grabbing user data and such but the principal is the same with any setup. The notion you may be laboring under is that ajax calls are handled somehow differently on the server, but just like any restful method you are really getting the same headers. If you can check the authentication on the standard html request you can quite literally hijack the form submission with an ajax request and get the same result back. You may want to get JSON back instead or a smaller piece of HTML and for that you want to either:

  1. Add something you can check in the request to know that it is an ajax request and adjust accordingly.

  2. Implement an RPC Model for handling ajax requests specifically.

For actually handling authentication you can use the google.appengine.ext users library and ride on the google accounts auth or you can write your own. Writing your own of course means implementing a session mechanism (for retaining state across the user session) and storing the passwords in a hashed and salted state for verification.

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜