[web2py] How to control authorization to REST api

Sat, 30 May 2015 11:32:44 -0700 

I'm trying to implement a REST api. I've coded the following:

@request.restful()
def api():
    response.view = 'generic.json'
    # curl -k --user tyr...@yahoo.ca:Lannister -G -d "var1=something1" -d 
"var2=something2"
    #     
https://miramar21.com/tut_server/default/api/verify/person/:usr/:pwd
    #     https://miramar21.com/tut_server/default/api/add/person
    #     https://miramar21.com/tut_server/default/api/update/person/:id
    def GET(*args,**vars):
        auth.basic()
        if not auth.user:
            return dict(unauthorized=True)
        try:
            if args[0] == 'verify':
                if len(args) > 3:
                    table_name = args[1]
                    usr = args[2]
                    pwd = args[3]
                    alg = 'pbkdf2(1000,20,sha512)'
                    hash = str(CRYPT(digest_alg=alg,salt=False)(pwd)[0])
                    row = db(db[table_name].email==usr).select().first()
                    if row:
                        status = True if row.password == hash else False
                        return dict(verified=status,id=row.id)
                return locals()
            if args[0] == 'add':
                if len(args) > 1:
                    table_name = args[1]
                    return db[table_name].validate_and_insert(**vars)
                return locals()
            if args[0] == 'update':
                if len(args) > 2:
                    table_name = args[1]
                    record_id = args[2]
                    return db(db[table_name]._id==record_id).
validate_and_update(**vars)
                return locals()
        except:
            return dict(fatal=True)
        return locals()
    return locals()

I have a feeling that I'm not doing user authorization for the REST api 
correctly, although the following cURL command works fine:

curl -k --user tyr...@yahoo.ca:Lannister https:
//miramar21.com/tut_server/default/api/verify/person/james.b...@outlook.com/Prometheus

When I try to use jQuery ajax to perform the same operation, it chokes on 
the user authorization, whether I use JS headers or beforeSend. So I 
suspect I'm doing something wrong. (But why is cURL working???)

I just want to control user authorization as simply and cleanly as possible.

-- 
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
--- 
You received this message because you are subscribed to the Google Groups 
"web2py-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to web2py+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to