>From a security standpoint the they have the same problem but at least the latter is not blocked by browser and you can test it in the browser.
On Thursday, 7 August 2014 06:03:20 UTC-5, lyn2py wrote: > > Ok thank you for pointing out the security measures. I'm new to this so I > had no idea about it. > > Is it better to do away with *login:[email protected] <login%[email protected]>* > and use instead *url.com/call/jsonrpc/api_key > <http://url.com/call/jsonrpc/api_key> *, or what would be the correct / > recommended method to serve APIs with web2py? > > Thank you, I appreciate it. > > > On Thursday, August 7, 2014 4:09:16 AM UTC+8, Massimo Di Pierro wrote: >> >> You will find those parameters hashed in >> request.env.HTTP_AUTHORIZATION >> (this puzzles me because it is supposed to >> be request.env.http_authorization) in web2py. >> >> Anyway, this method of authentication is discouraged for security reasons >> and most browsers including Chrome and IE strip the from the URL: >> http://support.microsoft.com/default.aspx?scid=kb;%5bLN%5d;834489 >> >> On Tuesday, 5 August 2014 21:39:10 UTC-5, lyn2py wrote: >>> >>> Hi Massimo, in case you missed this, this is a call out, I hope you can >>> shed some light on this. >>> >>> If I would like to do something like: >>> >>> http://api_key:api_secret@some_url.com/default/call/jsonrpc >>> >>> >>> >>> On Thursday, July 31, 2014 2:19:36 PM UTC+8, lyn2py wrote: >>>> >>>> Thanks Leonel! I just thought that web2py had something like that >>>> already in place, perhaps needed to add a correct decorator, and I didn't >>>> need to reinvent the wheel. >>>> >>>> Sidenote to Massimo: What do you think of the idea? Have a decorator to >>>> check for a special field or fields (API key related, like API key, API >>>> secret) in order to get a particular / restricted access to the API calls. >>>> >>>> >>>> >>>> On Thursday, July 31, 2014 2:06:21 AM UTC+8, Leonel Câmara wrote: >>>>> >>>>> An easy way would be to have your default.py/call function check the >>>>> API key and raise HTTP(403) if it's not valid. You could subclass Auth, >>>>> make your own basic_login using the API key, use that as the Auth for >>>>> your >>>>> application, and then use auth.requires_login() in call, but it seems >>>>> unnecessarily complicated for this. >>>>> >>>> -- Resources: - http://web2py.com - http://web2py.com/book (Documentation) - http://github.com/web2py/web2py (Source code) - https://code.google.com/p/web2py/issues/list (Report Issues) --- You received this message because you are subscribed to the Google Groups "web2py-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
