Anvil: Web apps with nothing but Python Transcripts
Chapter: Adding APIs and HTTP Endpoints
Lecture: Setting up auth
0:00 Let's start building the real application.
0:02 The real service.
0:03 So, the thing I actually want to build
0:05 I'm going to come down here and build something
0:07 kind of like this, add_measurement.
0:09 Because, what we actually want to do is
0:12 we want to enable some kind of rich application
0:15 or offline application that doesn't involve the website
0:18 for people to keep track of their measurements
0:21 and their health.
0:22 So, imagine we went to integrate with a smart scale
0:24 or smartwatch or we want to build an iPhone
0:27 or Android app that just is going to submit measurements
0:30 daily that somehow magically it can take for us
0:32 or you can just enter it on your phone
0:34 without going to the web. Things like that.
0:36 That's what we want to build
0:37 but the very first thing we have to do
0:39 is we have to come over here and say
0:41 user = anvil.user.get_user()
0:46 or something like that.
0:48 And we're going to need access to the user.
0:51 So, what I'm actually going to build is some mechanism
0:53 for people to authenticate and login
0:56 in store that in their app.
0:58 I could come over
0:59 we saw that at this in point
1:01 if I can get the auto complete to come up.
1:03 It'll say that it will authenticate users
1:05 and require credentials and things like that.
1:08 In order to do that, we have to do
1:10 I believe basic authentication
1:11 which means we passed the username and password in a header
1:15 which is all fine and good but I don't want to store
1:18 the username and password so much.
1:19 So what I'm going to do is set up some kind of API key
1:22 that we do store to the log in with their
1:24 username and password once in the app
1:26 and then there's going to store this API key
1:28 that can't be reused or replayed against any other site
1:31 or anything like that and we can always just have
1:33 a button for them to regenerate their API key
1:36 for some reason they need to log out sessions.
1:38 You could even do it just invalidate almost for them
1:40 and make them, you know, just log back in.
1:42 I'm not going to use this
1:43 built-in authentication mechanism here.
1:45 So we're going to do something like
1:46 get username and password
1:50 or turn users API key. Okay.
1:55 That's all well and good
1:57 but the user doesn't have an API key.
2:00 Let's go look. Do users have API keys?
2:02 And here, nope, no API keys.
2:04 Over here in this table, nope.
2:06 We did have this cool thing we added, is_pro
2:08 cus we knew in advance when we created the user
2:11 Oh, hey, we want to have them be able to have a paid account
2:14 but it turns out that we didn't think about this.
2:16 So, we can just retroactively go over here
2:18 and add a text column called API key.
2:24 So, what we're going to do is
2:25 we're going to exchange this API key
2:27 and the way we're going to generate it is
2:30 when the user first logs in, if they don't have an API key
2:34 we're going to randomly generate it
2:36 save it to their account
2:37 and then return it to them.
2:38 After that, or like when we work with the other methods
2:41 we're just going to check, hey is the API key that you sent over
2:44 is that the one that we actually expected.
2:47 We're going to go over here, put this here
2:49 get this, the one we actually want
2:52 and I'm going to change this to authorize
2:58 and then this add measurement is just going to
3:01 expect an API key.
3:04 User management and most importantly storing something
3:07 on client-side, that's really the super tricky part
3:11 that gets to be, you know a little bit tricky
3:13 but I think this will be good enough for our purposes here.
3:16 So what we're going to do is
3:17 we're going to work on this authorize method next.
3:20 Work on how we pass username and password
3:22 and we generate this API key
3:24 and that sort of thing and then just check for it over here.