devel: rest api token auth #469
Conversation
Implement a simple token authentication header for various "restish" endpoints we might want for adoption/disowning of packages.
|
Hey, just a reminder, if you don't find the time to continue this, I'd like to help out :) |
|
|
||
| from .fields import PGPKeyField | ||
| from main.utils import make_choice, set_created_field | ||
|
|
||
| from planet.models import Feed | ||
|
|
||
|
|
||
| class AuthTokenBackend(object): | ||
| def authenticate(self, request, username=None, password=None): | ||
| if 'X-Archweb-Token' in request.headers: |
There was a problem hiding this comment.
Wouldn't it make sense to use Authorization: Bearer as header, this is a quite widely used way for such API and would also allow a lot of HTTP clients to use implemented helper methods for authenticate a request with a token. Otherwise you'd need to pass around custom header strings like X-Archweb-Token.
What are your thoughts about this?
There was a problem hiding this comment.
Sounds fine to me, it shouldn't conflict with things I suppose.
| <form id="api-profile-form" enctype="multipart/form-data" method="post" action="">{% csrf_token %} | ||
| <h3>API token</h3> | ||
| <p>Token for completing todolist items with for example, rebuild-todo</p> | ||
| {% if profile.api_token is None %} |
There was a problem hiding this comment.
I assume it would be a good pattern to be able to revoke a token, or to phrase it differently: Generate a new token and invalidate the existing one.
I'd probably propose something like only showing the token once when the generate button is clicked and otherwise show an invalidate/regenerate button instead. We should hide the token after generating it.
Implement a simple token authentication header for various "restish" endpoints we might want for adoption/disowning of packages.