Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/wichert/pyramid_authstack

Use multiple authentication policies with Pyramid.
https://github.com/wichert/pyramid_authstack

Last synced: 20 days ago
JSON representation

Use multiple authentication policies with Pyramid.

Awesome Lists containing this project

README

        

Pyramid authentication stack
============================

.. image:: https://travis-ci.org/wichert/pyramid_authstack.png?branch=master
:target: https://travis-ci.org/wichert/pyramid_authstack

The `pyramid_authstack` package makes it possible to stack multiple
authentication policies in a `pyramid `_ project.
This can be useful in several scenarios:

- You need to be able to identify a user for a long period of time, while
requiting a recent login to access personal information. Amazon is an
example of a site doing this.

- You want to send a newsletter to users and log the user in automatically when
they follow a link in the newsletter, but not give automatically give them
access to sensitive information.

Confusing a multi-authentication policy is simple: create an instance
of the `AuthenticationStackPolicy` object, add the authentication policies
you want to it and then tell Pyramid to use it.

::

from pyramid.authentication import AuthTktAuthenticationPolicy
from pyramid_authstack import AuthenticationStackPolicy

auth_policy = AuthenticationStackPolicy()
# Add an authentication policy with a one-hour timeout to control
# access to sensitive information.
auth_policy.add_policy(
'sensitive',
AuthTktAuthenticationPolicy('secret', timeout=60 * 60))
# Add a second authentication policy with a one-year timeout so
# we can identify the user.
auth_policy.add_policy(
'identity',
AuthTktAuthenticationPolicy('secret', timeout=60 * 60 * 24 * 365))
config.set_authentication_policy(auth_policy)

The name used for the sub-policy (`sensitive` and `identity` in the example
above) will be added to the principals if the sub-policy can authenticate the
user. This makes it very easy to check which authentication policies matched
in an ACL::

class MyModel(object):
# Only allow access if user authenticated recently.
__acl__ = [(Allow, 'auth:sensitive', 'view')]

When you call `remember()
`_ or `forget()
`_ all sub-policies will be trigged. You can filter the list
of policies used by adding a `policies` parameter. A use case where this
is important is a user coming to the site via a link in a newsletter: in
that scenario you can identify the user, but do not want to give access
to sensitive information without asking for extra credentials.

::

from pyramid.security import remember

# Only set identity-authentication.
headers = remember(request, 'chrism', policies=['identity'])

Comparison to pyramid_multiauth
===============================

Mozilla has a similar project: `pyramid_multiauth
`_. There are a few difference
between that package and this one:

* pyramid_multiauth has no way to indicate which authentication policy matched,
which makes it unusable for my uses causes unless you always use custom
authentication sub-policies which add custom an extra principal. This could
be fixed, but it would require changing the API in a non-backward compatible
way.
* pyramid_multiauth duplicates some of the callback-handling code instead of
reusing pyramid's CallbackAuthenticationPolicy.
* pyramid_multiauth allows configuration via the PasteDeploy .ini file, which
pyramid_authstack does not support.

Changelog
=========

1.0.1 - Unreleased
-----------------------

- Fix use of obsolete naming in the README.

- Add callback parameter to constructor.

1.0.0 - August 10, 2013
-----------------------

- First release.