Using the repoze.who Application Programming Interface (API)¶
Using repoze.who without Middleware¶
An application which does not use the repoze.who middleware needs
to perform two separate tasks to use repoze.who machinery:
At application startup, it must create an
repoze.who.api:APIFactoryinstance, populating it with a request classifier, a challenge decider, and a set of plugins. It can do this process imperatively (see Configuring repoze.who via Python Code), or using a declarative configuration file (see Configuring repoze.who via Config File). For the latter case, there is a convenience function,repoze.who.config.make_api_factory_with_config():
# myapp/run.py
from repoze.who.config import make_api_factory_with_config
who_api_factory = None
def startup(global_conf):
global who_api_factory
who_api_factory = make_api_factory_with_config(global_conf,
'/path/to/who.config')
When it needs to use the API, it must call the
APIFactory, passing the WSGI environment to it. TheAPIFactoryreturns an object implementing therepoze.who.interfaces:IRepozeWhoAPIinterface.
# myapp/views.py
from myapp.run import who_api_factory
def my_view(context, request):
who_api = who_api_factory(request.environ)
Calling the
APIFactorymultiple times within the same request is allowed, and should be very cheap (the API object is cached in the request environment).
Mixed Use of repoze.who Middleware and API¶
An application which uses the repoze.who middleware may still need
to interact directly with the IRepozeWhoAPI object for some purposes.
In such cases, it should call repoze.who.api:get_api(), passing
the WSGI environment.
from repoze.who.api import get_api
def my_view(context, request):
who_api = get_api(request.environ)
Alternately, the application might configure the APIFactory at startup,
as above, and then use it to find the API object, or create it if it was
not already created for the current request (e.g. perhaps by the middleware):
def my_view(context, request):
who_api = context.who_api_factory(request.environ)
Writing a Custom Login View¶
repoze.who.api.API provides a helper method to assist developers
who want to control the details of the login view. The following
BFG example illustrates how this API might be used:
1 def login_view(context, request):
2 message = ''
3
4 who_api = get_api(request.environ)
5 if 'form.login' in request.POST:
6 creds = {}
7 creds['login'] = request.POST['login']
8 creds['password'] = request.POST['password']
9 authenticated, headers = who_api.login(creds)
10 if authenticated:
11 return HTTPFound(location='/', headers=headers)
12
13 message = 'Invalid login.'
14 else:
15 # Forcefully forget any existing credentials.
16 _, headers = who_api.login({})
17
18 request.response_headerlist = headers
19 if 'REMOTE_USER' in request.environ:
20 del request.environ['REMOTE_USER']
21
22 return {'message': message}
This application is written as a “hybrid”: the repoze.who middleware
injects the API object into the WSGI enviornment on each request.
In line 4, this application extracts the API object from the environ using
repoze.who.api:get_api().Lines 6 - 8 fabricate a set of credentials, based on the values the user entered in the form.
In line 9, the application asks the API to authenticate those credentials, returning an identity and a set of respones headers.
Lines 10 and 11 handle the case of successful authentication: in this case, the application redirects to the site root, setting the headers returned by the API object, which will “remember” the user across requests.
Line 13 is reached on failed login. In this case, the headers returned in line 9 will be “forget” headers, clearing any existing cookies or other tokens.
Lines 14 - 16 perform a “fake” login, in order to get the “forget” headers.
Line 18 sets the “forget” headers to clear any authenticated user for subsequent requests.
Lines 19 - 20 clear any authenticated user for the current request.
Line 22 returns any message about a failed login to the rendering template.