James, Thanks for the response! I'll do as you recommend.
On Jan 4, 12:57 pm, James Gardner <[email protected]> wrote: > Hi Jamie, > > It sounds like you already have a farily sophisticated setup so I'd > recommend rolling your own but using the AuthKit code as an example > for anything you wish to build yourself. > > One tip though, I now believe using exceptions to trigger the 401 and > 403 responses and then intercepting them in WSGI middleware is not a > good design pattern. New code I'm working on generates a normal > response in the authorization decorators or whereever the check fails > instead of in the WSGI middleware. This avoids problems with other > middleware components intercepting exceptions when they aren't > supposed to and also avoids issues around the WSGI middleware trying > to generate a page using objects which are only available where the > exception was raised. It is just less tangled so I'd recommend you > avoid using exceptions in your own code too. > > Cheers, > > James > > (AuthKit author) > > On Jan 2, 2:36 am, Jamie <[email protected]> wrote: > > > I'm working on porting an old PHP project of mine over to Pylons. For > > authentication this project mainly uses a lot of Postgres stored > > procedures. As well as checking valid login attempts, the database > > generates and tracks authentication tokens that are stored client-side > > in cookies. Each token is calculated by hashing the username, ip > > address, useragent, and some other stuff. Current valid tokens are > > stored in a db table. The cookie expiration (token timeout) is > > automatically updated each time the token is used, up to a maximum > > lifetime. If I expect to port this app over successfully, this > > authentication system cannot be altered at this time. > > > I know that I can use a customized authentication backend with > > Authkit, but I'm not sure that it's made to be tweaked this throughly > > (short of essentially forking it...meh). But I do like middleware-ish > > features like the decorators and intercepting HTTP status codes. > > > Should I roll-my-own solution now and maybe port it over to AuthKit > > down the road, or can I drop-in the functionality I need without > > murdering the existing code too much? > > -- You received this message because you are subscribed to the Google Groups "pylons-discuss" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/pylons-discuss?hl=en.
