如何在受用户限制的资源访问保护的python eve api中创建新的用户帐户 [英] How to create new user accounts in python eve api secured with User-Restricted Resource Access
问题描述
我首先使用python-eve框架创建了一个Web api,无需身份验证或用户帐户,而且效果很好!我现在正在尝试添加身份验证和用户帐户,并且遇到了一些困难.我想使用用户受限资源访问,但是如果资源受限,用户如何创建新的用户帐户?我想念什么?
I first created a web api using the python-eve framework, without authentication or user accounts, and it worked great! I am now trying to add authentication and user accounts, and am having some difficulty. I want to use User-Restricted Resource Access, but how can a user create a new user account, if the resources are restricted? What am I missing?
我一直在尝试遵循 Restful Account Management教程和在python-eve.org上身份验证和授权已搜索了stackoverflow,包括在此处回答.
I have been trying to follow the Restful Account Management Tutorial and the introduction to Authentication and Authorization on python-eve.org, and I've searched stackoverflow, including this answer here.
这是我的实现方式
run.py
import os.path
from eve import Eve
import my_auth
from flask.ext.bootstrap import Bootstrap
from eve_docs import eve_docs
app = Eve(auth=my_auth.BCryptAuth, settings = 'deployed_settings.py')
app.on_insert_accounts += my_auth.create_user
Bootstrap(app)
app.register_blueprint(eve_docs, url_prefix='/docs')
if __name__ == '__main__':
app.run()
my_auth.py
my_auth.py
import bcrypt
from eve import Eve
from eve.auth import BasicAuth
class BCryptAuth(BasicAuth):
def check_auth(self, username, password, allowed_roles, resource, method):
# use Eve's own db driver; no additional connections/resources are used
accounts = Eve.app.data.driver.db['accounts']
account = accounts.find_one({'username': username})
if account and 'user_id' in account:
self.set_request_auth_value(account['user_id'])
return account and bcrypt.hashpw(
password.encode('utf-8'),account['salt'].encode('utf-8')) == account['password']
def create_user(documents):
for document in documents:
document['salt'] = bcrypt.gensalt().encode('utf-8')
password = document['password'].encode('utf-8')
document['password'] = bcrypt.hashpw(password, document['salt'])
deployed_settings.py
deployed_settings.py
# We are running on a local machine, so just use the local mongod instance.
# Note that MONGO_HOST and MONGO_PORT could very well be left
# out as they already default to a bare bones local 'mongod' instance.
MONGO_HOST = 'localhost'
MONGO_PORT = 27017
MONGO_USERNAME = ''
MONGO_PASSWORD = ''
MONGO_DBNAME = 'practice'
# Name of the field used to store the owner of each document
AUTH_FIELD = 'user_id'
# Enable reads (GET), inserts (POST) and DELETE for resources/collections
# (if you omit this line, the API will default to ['GET'] and provide
# read-only access to the endpoint).
RESOURCE_METHODS = ['GET', 'POST', 'DELETE']
# Enable reads (GET), edits (PATCH), replacements (PUT) and deletes of
# individual items (defaults to read-only item access).
ITEM_METHODS = ['GET', 'PATCH', 'PUT', 'DELETE']
IF_MATCH = False # When set to false, older versions may potentially replace newer versions
XML = False # disable xml output
# Schemas for data objects are defined here:
classes = {
# ... Contents omitted for this question
}
people = {
# ... Contents omitted for this question
}
logs = {
# ... Contents omitted for this question
}
sessions = {
# ... Contents omitted for this question
}
accounts = {
# the standard account entry point is defined as '/accounts/<ObjectId>'.
# an additional read-only entry point is accessible at '/accounts/<username>'.
'additional_lookup': {
'url': 'regex("[\w]+")',
'field': 'username',
},
# disable endpoint caching to prevent apps from caching account data
'cache_control': '',
'cache_expires': 0,
# schema for the accounts endpoint
'schema': {
'username': {
'type': 'string',
'required': True,
'unique': True,
},
'password': {
'type': 'string',
'required': True,
},
},
}
# The DOMAIN dict explains which resources will be available and how they will
# be accessible to the API consumer.
DOMAIN = {
'classes': classes,
'people': people,
'logs': logs,
'sessions': sessions,
'accounts': accounts,
}
推荐答案
一个简单的解决方案是不限制用户的创建方法.像这样:
One simple solution would be to not restrict your user creation method. Something like so:
class BCryptAuth(BasicAuth):
def check_auth(self, username, password, allowed_roles, resource, method):
# allow anyone to create a new account.
if resource == 'accounts' and method == 'POST':
return True
accounts = Eve.app.data.driver.db['accounts']
account = accounts.find_one({'username': username})
if account and 'user_id' in account:
self.set_request_auth_value(account['user_id'])
return account and bcrypt.hashpw(password.encode('utf-8'),account['salt'].encode('utf-8')) == account['password']
或者,特别是如果仅允许POST到 account
端点,则可以选择不对端点进行身份验证:
Alternatively, and especially so if you only allow POSTing to the account
endpoint, you could opt out of authentication for the endpoint:
'accounts': {
# or you could provide a different custom class here,
# so you don't need the guard in the general-purpose auth class.
'authentication': None,
...
}
希望这会有所帮助.
这篇关于如何在受用户限制的资源访问保护的python eve api中创建新的用户帐户的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!