Eve: Building RESTful APIs with MongoDB and Flask Transcripts
Chapter: Fine-tuning your REST service
Lecture: Securing the service
0:00 Authentication is the mechanism by which systems securely identify their users. Eve supports several authentication schemes,
0:11 like basic authentication, token authentication, and also HMAC authentication. Authorization on the other hand is the mechanism
0:19 by which a system determines what level of access a particular authenticated user should have to access resources controlled by the system.
0:28 In Eve, you can restrict access to all API endpoints or just a few of them, you can protect some http verbs while leaving others open.
0:37 You really have a lot of options. Security is one of those areas where customization is really important,
0:45 this is why you are provided with a handful of base authentication classes from which you inherit in order to build your own authorization logic.
0:55 Let's see how it's done. Yes, in order to get authentication going on our service, we need to get back to coding, which is probably good news
1:06 after all this time spent on a boring settings file. First, we need to import from the eve.auth name space
1:16 and what we want to import is the BasicAuth class. Once we have the class imported, we need to inherit from it.
1:29 Here it is, as you can see, I created my own class which is a subclass of the BasicAuth, class provided by the framework.
1:39 And the only method I need to overwrite is check auth, it gets a number of arguments, the most interesting ones
1:48 are the first two, username and password, then we have a few more, allowed roles, which is used when you do role based access control
1:58 something we won't cover in this course, resource is the name of the resource or endpoint that the client is hitting
2:05 and the method is the http method being performed with the request. So, every time a request comes to the server,
2:15 the check auth method is executed, and within the method, we implement the custom logic we need to authenticate the user.
2:25 now in this example, it is super simple, we are just making sure that the username is admin and the password is secret.
2:31 Now that the authentication logic has been implemented, all we need to do is pass our class to the Eve instance
2:41 and we do that right here where we are passing the custom validator we can also set the auth argument which defaults to none,
2:50 so no authentication, to our custom authentication class. We save, go back to Postman and try to access the people endpoint
3:02 which has been freely available, until now, but now we're getting a 401 error, not authorized please provide proper credentials.
3:15 Now, if you go to the auth tab here in Postman, we can pick basic authentication and pass our username,
3:24 let's try with secret and password which should not be right, because we are testing for admin and secret as password.
3:34 We can preview the request, if we go back to the headers, we see that authorization header has been added to our request
3:42 and it has our username and password encoded, let's try and send the request over, we're still getting an error.
3:51 That's right because we got the password wrong, let's try with secret and send a request over, and this time it works.
4:02 So now all the endpoints are protected by our custom class and custom logic, let's try works, of course, we get an access,
4:16 but if we go with no auth, again, we get an error whereas if we go back to basic authentication, it works.
4:28 Okay, let's go back to the editor and review what we've done so far. We imported the basic authentication class from the framework,
4:37 then, we inherited from it in our own custom class and we overwrote the check auth method it is receiving a number of arguments,
4:47 and we use the username and password from the request to make sure that they match our expectations.
4:52 If they do, we return a true value, otherwise, we return a false value or nothing. That's it, we then pass our class to the Eve instance.
5:02 Now our authentication logic is very simple, we are protecting all the endpoints with the same logic, but because we are receiving resource,
5:12 which is the endpoint and the method, we can actually be more fine grained if we need,
5:19 for example, we might have a different logic if the endpoint is people we might do some kind of check
5:29 whereas for any other endpoint we use the general logic, the same might be true with the method,
5:54 so if it is a write operation, post or edit, we do some kind of different check, maybe only some super user is allowed to write,
6:04 let me also add put and delete, you get the point. Now branching on every endpoint can get ugly really fast,
6:20 imagine if you have 100 endpoints on your API and you actually want to implement a different authentication schema for every endpoint,
6:29 it is not going to look pretty, and also not easy to maintain. There should be better ways to handle authentication. And in fact, there are.
6:38 Let's see at one of them, let's go back to our basic logic here, what we can do is go to our settings file and import basic authentication class,
7:00 and then, within the endpoint definition, we can set the authentication class to be used for the single endpoint.
7:12 So if we do this, only the people endpoint will use this class, let's go back to the app and get read of the global authentication class.
7:24 So what we are doing here is tell Eve, look we have no authentication for the endpoints no global authentication for the endpoints,
7:35 but, we do have authentication schema and class to be used whenever a client requests an access to the people endpoint,
7:45 let me go and illustrate that with an example, now that the server has restarted, if we try to hit the people endpoint with a get request
7:55 we should get please provide proper credential message, that's right, let me fix the username and try again. Boom, it works.
8:07 But, if I go to the works endpoint which should have no authentication at all, it works. So this way you can write custom classes,
8:18 one class for every endpoint, or of course, you might have the same class shared between different endpoints,
8:25 but the point is that you keep your classes super simple, you only implement the logic needed by the class,
8:32 this could be called something like people authentication, this is much better, isn't it?
8:38 There is a lot more about authentication and authorization in Eve, I really invite you to go and visit the
8:48 authentication and authorization documentation on the website we only touched the basic features basically,
8:56 just know that you can also implement token based authentication, HMAC authentication which is what Amazon is doing with S3 service
9:05 and you also have a role based access control, user restricted resource access, auth driven data based access,
9:13 auth 2 integration, go and have a look at it so you can better access what you really need for your specific use case.