I actualy only check the signature of the named JWTcookie and if I can decode it, then alows the user to continue or not.
But I'm not sure it's a good behavior, there isn't actualy any match-test with the server. The userid shouldn't be stored somewhere on the server side in order to make a match? If yes, where should I store it? I really don't find reading pyramid's code. (and I'm new to security) Thank you! I will certainly paste the code once cleaned. Le jeudi 2 juillet 2015 16:32:35 UTC+2, Paul Everitt a écrit : > > > Is your JWTAuthTktCookieHelper successful in setting > request.authenticated_userid? > > Pyramid keeps a pretty nice separate between authentication, permissions, > and ACLs. I suggest you use this to your advantage. First, make sure that > your authentication works and ignore authorization. Here’s the step in the > Pyramid quick tutorial that does authentication without worrying about > authorization (or databases): > > > http://docs.pylonsproject.org/projects/pyramid//en/latest/quick_tutorial/authentication.html > > If you can get that tutorial step working with your JWT-in-cookies > (meaning, after login, you can print request.authenticated_userid), *then* > worry about authorization and databases. > > —Paul > > On Jul 2, 2015, at 9:33 AM, Matheo <[email protected] > <javascript:>> wrote: > > Hello, > > I don't understand verry well how authentication/authorization works with > pyramid. I mean, how the server remembers if the user can access or not to > a classic root like that for instance : > > @view_config( > route_name='core/currentUser', > renderer='json' > ) > > #default permissions already setted to read : > config.set_default_permission('read') > > > And after the user has already passed the login check function : > > @view_config( > route_name=route_prefix+'login', > permission=NO_PERMISSION_REQUIRED, > request_method='POST') > def login(request): > user_id = request.POST.get('user_id', '') > pwd = request.POST.get('password', '') > user = DBSession.query(User).filter(User.id==user_id).one() > if user is not None and user.check_password(pwd): > headers = remember(request, user_id) > response = request.response > response.headerlist.extend(headers) > transaction.commit() > return response > else: > transaction.commit() > return HTTPUnauthorized() > > > Acutally I want to overwrite the authentication system in order to use a > Json Web Token cookie. > This post presents what I want to do : > https://github.com/ajkavanagh/pyramid_jwtauth/issues/9 (mine) > I started among other stuff to write a JWTAuthTktCookieHelper class in > order to keep more or less the AuthTktAuthenticationPolicy behaviors > (remember function) but with a JWT cookie and through the > JWTAuthenticationPolicy > <https://github.com/ajkavanagh/pyramid_jwtauth/blob/master/pyramid_jwtauth/__init__.py> > (optional, > I can extend AuthTktAuthenticationPolicy). I'm not sure it's enought, I > don't see how the permissions are keeped server side, is it via a session? > > Hopping to be clear. > Thank you! > > (be back on saturday) > > -- > You received this message because you are subscribed to the Google Groups > "pylons-discuss" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected] <javascript:>. > To post to this group, send email to [email protected] > <javascript:>. > Visit this group at http://groups.google.com/group/pylons-discuss. > For more options, visit https://groups.google.com/d/optout. > > > -- You received this message because you are subscribed to the Google Groups "pylons-discuss" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/pylons-discuss. For more options, visit https://groups.google.com/d/optout.
