python - Authenticating Developers with APIKey and Users with BasicAuth/OAuth -


i've looked around can't seem find canonical answer. i'm trying follow best practices. maybe i'm thinking of wrong way.

i'm thinking of api users 2 different types: developers , end users, separate django models in separate applications.

developers build clients api, , have access resources of api without need of users login in. limit access, require them register , in exchange give them api key. dogfood say, build site frontend using angular , ios app. once developers build api clients, users of site, have created user account, use api clients created developers. in request clients expect developer name, api_key username/password (digest, if our own trusted client , oauth token thid party developers). require check 1) developers allowed use api checking apikey, , 2) authenticate end user. possible in tastypie?

am going wrong way? how double authentication?

we run production site exact scheme. of course you'll have own tunning. general idea good. have oauth inplace too, we've found it's not worth it. oauth complicated cases.

i'll explain do.

this app/developers part:

  1. we identify "apps" (ios, android, bb, site). each app has apiclient instance model. apiclient has 3 attrs: name, public key, , private key.

  2. we exchange public , private keys through safe channel apiclient owner (the app).

  3. the app must send every request indicating public key , signature generated private key (using hmac).

  4. everytime request, public key request, in db, see app belongs (the name) , check signature. if ok, request fulfilled.

for user authentication part:

  1. to authenticate user use other model apikey (provided tastypie). each user has apikey. model stores unique (we random) string. when user gets app he/she logs in api. app should issue request similar one:

    post /api/v1/login/ { 'username': 'xxx', 'password': 'xxx' }

    (please note need pass previous public/private key auth)

  2. if user provided right credentials return apikey unique key.

  3. every following request made app in behave of user must include key. that's way identify user trying each action.

an example of last part:

  1. user jon logs in in ios app. (using regular username , password)

  2. the app sends request:

    post /api/v1/login/ { 'username': 'jon', 'password': 'snow' }

  3. we have login api method. check if user exists , if pass ok. suppose it's ok.

  4. we sent apikey info:

    200 ok { 'username': 'jon', 'key': '$123$' }

  5. the app has authenticated user. needs use credentials.

  6. the user tries in app. suppose tries datetime app. app issue request:

    get /api/v1/date/

    authorization: apikey jon:$123$

that's it. it's not super safe. apikeys not invalidated. that's because create our own internal apps. it's worth note borrow stuff tastypie this. check out: http://django-tastypie.readthedocs.org/en/latest/authentication.html#apikeyauthentication


Comments

Post a Comment

Popular posts from this blog

c# - DetailsView in ASP.Net - How to add another column on the side/add a control in each row? -

i have detailsview control on page used edit various fields of record, works in respect. i looking way add 1 column (and if works, why not more) right, absolutely read-only, show same fields of record comparison purposes. i aware there no obvious way such thing out of box detailsview . have looked other controls (transposed gridview , recommended formview , listview ), nothing satisfies. have special data binding setup using detailsview , can't out of without losing features. anyone on how "hack in" additional columns (for display only) on detailsview ? the solution have now, use second detailsview , visible set false in aspx. in code, make sure databind hidden detailsview hosts data third column first, initial detailsview named itemdetails . and in item created event, pass third column html rendering of hidden controls (in last code block) : protected void itemdetails_itemcreated(object sender, eventargs e) { if (dataite
Read more

javascript - firefox memory leak -

i have following script (i use raphaeljs also) draws circle, waits 1 second, draws circle again, etc (you can copy paste - functional, need include raphael raphaeljs.com): <div id="holder"> </div> <script src="raphael.js" type="text/javascript"></script> <script> var paper = raphael(10, 50, 320, 200); var rad = math.pi / 180; var finangle = 0; function sector(cx, cy, r, startangle, endangle, params) { var x1 = cx + r * math.cos(-startangle * rad), x2 = cx + r * math.cos(-endangle * rad), y1 = cy + r * math.sin(-startangle * rad), y2 = cy + r * math.sin(-endangle * rad); return ["m", cx, cy, "l", x1, y1, "a", r, r, 0, +(endangle - startangle > 180), 0, x2, y2]; } var path = sector(100,100,50,0,180); var arc = paper.path(path); function draw() { path = sector(100,100,50,0,finangle);
Read more

Trying to import CSV file to a SQL Server database using asp.net and c# - can't find what I'm missing -

i student , quite new programming, , given task using asp.net , c#, without being taught either. plan learn teach ourselves. the task stuck on making website import csv file sql server database of last year's room bookings around campus. the table has following columns: request_id; priority; module_id; day; start_time; length; park; students; room_code; status; semester_id; linked_request; week_1; week_2; week_3; week_4; week_5; week_6; week_7; week_8; week_9; week_10; week_11; week_12; week_13; week_14; week_15; ) in code, try make work 3 columns (request_id,priority,module) starters. when press import button, want read .csv file (with fixed name @ fixed directory) eg "1,2,3" - comma separating fields [delimiter] - , import sql server datab
Read more