Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/wichert/pyramid_authstack
Use multiple authentication policies with Pyramid.
https://github.com/wichert/pyramid_authstack
Last synced: 20 days ago
JSON representation
Use multiple authentication policies with Pyramid.
- Host: GitHub
- URL: https://github.com/wichert/pyramid_authstack
- Owner: wichert
- License: other
- Created: 2013-08-10T12:04:34.000Z (over 11 years ago)
- Default Branch: master
- Last Pushed: 2020-03-28T20:49:12.000Z (over 4 years ago)
- Last Synced: 2024-05-23T08:01:19.917Z (6 months ago)
- Language: Python
- Size: 168 KB
- Stars: 9
- Watchers: 0
- Forks: 6
- Open Issues: 3
-
Metadata Files:
- Readme: README.rst
- License: LICENSE.txt
Awesome Lists containing this project
- awesome-pyramid - pyramid_authstack - Use (Authorization)
README
Pyramid authentication stack
============================.. image:: https://travis-ci.org/wichert/pyramid_authstack.png?branch=master
:target: https://travis-ci.org/wichert/pyramid_authstackThe `pyramid_authstack` package makes it possible to stack multiple
authentication policies in a `pyramid `_ project.
This can be useful in several scenarios:- You need to be able to identify a user for a long period of time, while
requiting a recent login to access personal information. Amazon is an
example of a site doing this.- You want to send a newsletter to users and log the user in automatically when
they follow a link in the newsletter, but not give automatically give them
access to sensitive information.Confusing a multi-authentication policy is simple: create an instance
of the `AuthenticationStackPolicy` object, add the authentication policies
you want to it and then tell Pyramid to use it.::
from pyramid.authentication import AuthTktAuthenticationPolicy
from pyramid_authstack import AuthenticationStackPolicyauth_policy = AuthenticationStackPolicy()
# Add an authentication policy with a one-hour timeout to control
# access to sensitive information.
auth_policy.add_policy(
'sensitive',
AuthTktAuthenticationPolicy('secret', timeout=60 * 60))
# Add a second authentication policy with a one-year timeout so
# we can identify the user.
auth_policy.add_policy(
'identity',
AuthTktAuthenticationPolicy('secret', timeout=60 * 60 * 24 * 365))
config.set_authentication_policy(auth_policy)The name used for the sub-policy (`sensitive` and `identity` in the example
above) will be added to the principals if the sub-policy can authenticate the
user. This makes it very easy to check which authentication policies matched
in an ACL::class MyModel(object):
# Only allow access if user authenticated recently.
__acl__ = [(Allow, 'auth:sensitive', 'view')]When you call `remember()
`_ or `forget()
`_ all sub-policies will be trigged. You can filter the list
of policies used by adding a `policies` parameter. A use case where this
is important is a user coming to the site via a link in a newsletter: in
that scenario you can identify the user, but do not want to give access
to sensitive information without asking for extra credentials.::
from pyramid.security import remember
# Only set identity-authentication.
headers = remember(request, 'chrism', policies=['identity'])Comparison to pyramid_multiauth
===============================Mozilla has a similar project: `pyramid_multiauth
`_. There are a few difference
between that package and this one:* pyramid_multiauth has no way to indicate which authentication policy matched,
which makes it unusable for my uses causes unless you always use custom
authentication sub-policies which add custom an extra principal. This could
be fixed, but it would require changing the API in a non-backward compatible
way.
* pyramid_multiauth duplicates some of the callback-handling code instead of
reusing pyramid's CallbackAuthenticationPolicy.
* pyramid_multiauth allows configuration via the PasteDeploy .ini file, which
pyramid_authstack does not support.Changelog
=========1.0.1 - Unreleased
------------------------ Fix use of obsolete naming in the README.
- Add callback parameter to constructor.
1.0.0 - August 10, 2013
------------------------ First release.