tags:

views:

114

answers:

1
+2  Q: 

Authentication on App Engine / Python / Django non-rel over JSON

I'm building a site on Google App Engine, running python and Django non-rel. Everything is working great for HTML and posting/reading data. But as I'm moving forward I'd like to do many of the updates with AJAX, and eventually also over mobile devices like Android and iPhone.

My pages use django non-rel and my login/logout authentication works great for the HTML. But update information sent over JSON would have to be authenticated that the user can make the changes. I see how doing authentication for just AJAX calls wouldn't be too difficult since your still hitting the website, but what about when throwing in mobile phone authentication?

So I'm new to this, where do I start?

How can I set up services on gae so I can do authenticated CRUD operations? Ideally I'd like to use the exact same REST services for ajax, android, etc.

+1  A: 

Python makes this pretty easy, you can just create a decorator method of checking the auth and add the decorator to any method requiring auth credentials. 

def admin(handler_method):
  """
  This decorator requires admin, 403 if not.
  """
  def auth_required(self, *args, **kwargs):
    if users.is_current_user_admin():
      handler_method(self, *args, **kwargs)
    else:
      self.error(403)
  return auth_required

...

@admin
def crudmethod_update(self, *args, **kwargs):
  ...

Mind you, this assumes a few things about how you are grabbing user data and such but the principal is the same with any setup. The notion you may be laboring under is that ajax calls are handled somehow differently on the server, but just like any restful method you are really getting the same headers. If you can check the authentication on the standard html request you can quite literally hijack the form submission with an ajax request and get the same result back. You may want to get JSON back instead or a smaller piece of HTML and for that you want to either:

  1. Add something you can check in the request to know that it is an ajax request and adjust accordingly.

  2. Implement an RPC Model for handling ajax requests specifically.

For actually handling authentication you can use the google.appengine.ext users library and ride on the google accounts auth or you can write your own. Writing your own of course means implementing a session mechanism (for retaining state across the user session) and storing the passwords in a hashed and salted state for verification.

Gabriel  2010-09-22 17:16:05
I guess where I’m lost at is how should I check the authentication? So in your user.is_current_user_admin function, how is it checking you’re the correct person just by the URL? Let’s say I have a function called GetMyData, and I pass in the userID in the url, like www.site.com/json/mydata/123. When the server gets this request it should check if this request is authenticated or not first, but how would it know if its authenticated just by the URL? I feel like I’m missing a huge piece of the puzzle and greatly appreciate your help. Thanks!
adam  2010-09-22 18:22:55

related questions

Programmatically talking to a Serial Port in OS X or Linux
Best ways to teach a beginner to program?
Calling a Function From a String With the Function's Name in Python
An executable Python app
Text Editor For Linux (Besides Vi)?
What Hosting Service is best for Django applications?
File size differences after copying a file to a server vía FTP
Python: what is the difference between (1,2,3) and [1,2,3], and when should I use each?
Python: What OS am I running on?
How do I make a menu in python that does not require the user to press (enter) to make a selection?
How do you express binary literals in Python?
What is the most efficient graph data structure in Python?
Adding a Method to an Existing Object
How to learn Python: Good Example Code?
How do I use Python's itertools.groupby()?
Python and MySQL
Class views in Django
Is there an IDE that provides code completion for Python
Using 'in' to match an attribute of Python objects in an array
cx_Oracle - what is the best way to iterate over a result set?
cx_Oracle - How do I access Oracle from Python?
Continuous Integration System for a Python Codebase
Get a preview jpeg of a pdf on windows?
How can I find the full path to a font from its display name on a Mac?
XML Processing in Python