Anvil: Web Apps with Nothing but Python Transcripts
Chapter: Adding APIs and HTTP Endpoints
Lecture: Setting up auth

Login or purchase this course to watch this video and the rest of the course contents.
0:00 Let's start building the real application. The real service. So, the thing I actually want to build I'm going to come down here and build something
0:08 kind of like this, add_measurement. Because, what we actually want to do is we want to enable some kind of rich application
0:16 or offline application that doesn't involve the website for people to keep track of their measurements and their health.
0:23 So, imagine we went to integrate with a smart scale or smartwatch or we want to build an iPhone
0:28 or Android app that just is going to submit measurements daily that somehow magically it can take for us or you can just enter it on your phone
0:35 without going to the web. Things like that. That's what we want to build but the very first thing we have to do is we have to come over here and say
0:42 user = anvil.user.get_user() or something like that. And we're going to need access to the user. So, what I'm actually going to build is some mechanism
0:54 for people to authenticate and login in store that in their app. I could come over we saw that at this in point
1:02 if I can get the auto complete to come up. It'll say that it will authenticate users and require credentials and things like that.
1:09 In order to do that, we have to do I believe basic authentication which means we passed the username and password in a header
1:16 which is all fine and good but I don't want to store the username and password so much. So what I'm going to do is set up some kind of API key
1:23 that we do store to the log in with their username and password once in the app and then there's going to store this API key
1:29 that can't be reused or replayed against any other site or anything like that and we can always just have a button for them to regenerate their API key
1:37 for some reason they need to log out sessions. You could even do it just invalidate almost for them and make them, you know, just log back in.
1:43 I'm not going to use this built-in authentication mechanism here. So we're going to do something like get username and password
1:51 or turn users API key. Okay. That's all well and good but the user doesn't have an API key. Let's go look. Do users have API keys?
2:03 And here, nope, no API keys. Over here in this table, nope. We did have this cool thing we added, is_pro
2:09 cus we knew in advance when we created the user Oh, hey, we want to have them be able to have a paid account
2:15 but it turns out that we didn't think about this. So, we can just retroactively go over here and add a text column called API key.
2:25 So, what we're going to do is we're going to exchange this API key and the way we're going to generate it is
2:31 when the user first logs in, if they don't have an API key we're going to randomly generate it save it to their account and then return it to them.
2:39 After that, or like when we work with the other methods we're just going to check, hey is the API key that you sent over
2:45 is that the one that we actually expected. We're going to go over here, put this here get this, the one we actually want
2:53 and I'm going to change this to authorize and then this add measurement is just going to expect an API key.
3:05 User management and most importantly storing something on client-side, that's really the super tricky part
3:12 that gets to be, you know a little bit tricky but I think this will be good enough for our purposes here. So what we're going to do is
3:18 we're going to work on this authorize method next. Work on how we pass username and password and we generate this API key
3:25 and that sort of thing and then just check for it over here.


Talk Python's Mastodon Michael Kennedy's Mastodon