Hello all! I've been thinking of a way I could create an application-wide handler that would authenticate a user when a token is present in the query string (...?token=XXX). I ended up with two approaches and would like to know if either of them is preferred in Pyramid, or if there is any problem with the solutions I came up with. So here goes (at the end there's a link to a demonstration project I uploaded to Github):
1. Authentication via request handler and redirect Seems like the shortest code: a request handler checks for the `token` GET parameter and, having found it, pops it and emits a redirect to the same URL with that parameter removed, also saving the login cookie with `remember`. Seems good and simple, but an additional request is made due to the redirect. <https://github.com/edudobay/pyramid-auth-example/tree/9c3539406edf84ecda9585b4c19f4d38401eec44#authentication-via-custom-policy> 2. Authentication via custom policy To avoid this extra request, I ended up subclassing the default AuthTktAuthenticationPolicy and adding extra functionality that checks for the `token` parameter. In this check I add a callback that will use `remember` to include the necessary headers in the response. I needed to add a new field to the Request object — and I don't know if this is a good practice — to save the username (read from the token) allowing me to pop the `token` from the GET dictionary — otherwise the callback would be re-added every time the property is read. Concerning this added field, I found this example of @reify while searching through the discussion list, but not sure it suits my needs, or even if it does any improvement in my case... http://plope.com/static/pyramid_cookbook/authentication.html --- The demonstration: https://github.com/edudobay/pyramid-auth-example/tree/9c3539406edf84ecda9585b4c19f4d38401eec44 --- Thanks so much! -- You received this message because you are subscribed to the Google Groups "pylons-discuss" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/pylons-discuss. For more options, visit https://groups.google.com/d/optout.
