Eve: Building RESTful APIs with MongoDB and Flask Transcripts
Chapter: Fine-tuning your REST service
Lecture: Securing the service
Login or
purchase this course
to watch this video and the rest of the course contents.
0:00
Authentication is the mechanism
0:02
by which systems securely identify their users.
0:06
Eve supports several authentication schemes,
0:10
like basic authentication, token authentication, and also HMAC authentication.
0:15
Authorization on the other hand is the mechanism
0:18
by which a system determines what level of access
0:21
a particular authenticated user should have
0:24
to access resources controlled by the system.
0:27
In Eve, you can restrict access to all API endpoints or just a few of them,
0:31
you can protect some http verbs while leaving others open.
0:36
You really have a lot of options.
0:39
Security is one of those areas where customization is really important,
0:44
this is why you are provided with a handful of base authentication classes
0:49
from which you inherit in order to build your own authorization logic.
0:54
Let's see how it's done.
0:57
Yes, in order to get authentication going on our service,
1:01
we need to get back to coding, which is probably good news
1:05
after all this time spent on a boring settings file.
1:08
First, we need to import from the eve.auth name space
1:15
and what we want to import is the BasicAuth class.
1:19
Once we have the class imported, we need to inherit from it.
1:28
Here it is, as you can see, I created my own class
1:33
which is a subclass of the BasicAuth, class provided by the framework.
1:38
And the only method I need to overwrite is check auth,
1:42
it gets a number of arguments, the most interesting ones
1:47
are the first two, username and password,
1:50
then we have a few more, allowed roles,
1:53
which is used when you do role based access control
1:57
something we won't cover in this course,
1:59
resource is the name of the resource
2:02
or endpoint that the client is hitting
2:04
and the method is the http method being performed with the request.
2:10
So, every time a request comes to the server,
2:14
the check auth method is executed, and within the method,
2:20
we implement the custom logic we need to authenticate the user.
2:24
now in this example, it is super simple, we are just making sure
2:27
that the username is admin and the password is secret.
2:30
Now that the authentication logic has been implemented,
2:35
all we need to do is pass our class to the Eve instance
2:40
and we do that right here where we are passing the custom validator
2:44
we can also set the auth argument which defaults to none,
2:49
so no authentication, to our custom authentication class.
2:54
We save, go back to Postman and try to access the people endpoint
3:01
which has been freely available, until now,
3:06
but now we're getting a 401 error, not authorized please provide proper credentials.
3:14
Now, if you go to the auth tab here in Postman,
3:17
we can pick basic authentication and pass our username,
3:23
let's try with secret and password which should not be right,
3:29
because we are testing for admin and secret as password.
3:33
We can preview the request, if we go back to the headers,
3:37
we see that authorization header has been added to our request
3:41
and it has our username and password encoded,
3:45
let's try and send the request over, we're still getting an error.
3:50
That's right because we got the password wrong,
3:54
let's try with secret and send a request over, and this time it works.
4:01
So now all the endpoints are protected by our custom class and custom logic,
4:10
let's try works, of course, we get an access,
4:15
but if we go with no auth, again, we get an error
4:21
whereas if we go back to basic authentication, it works.
4:27
Okay, let's go back to the editor and review what we've done so far.
4:32
We imported the basic authentication class from the framework,
4:36
then, we inherited from it in our own custom class
4:40
and we overwrote the check auth method
4:44
it is receiving a number of arguments,
4:46
and we use the username and password from the request
4:48
to make sure that they match our expectations.
4:51
If they do, we return a true value, otherwise, we return a false value or nothing.
4:57
That's it, we then pass our class to the Eve instance.
5:01
Now our authentication logic is very simple,
5:06
we are protecting all the endpoints with the same logic,
5:09
but because we are receiving resource,
5:11
which is the endpoint and the method,
5:14
we can actually be more fine grained if we need,
5:18
for example, we might have a different logic if the endpoint is people
5:24
we might do some kind of check
5:28
whereas for any other endpoint we use the general logic,
5:36
the same might be true with the method,
5:53
so if it is a write operation, post or edit, we do some kind of different check,
5:58
maybe only some super user is allowed to write,
6:03
let me also add put and delete, you get the point.
6:13
Now branching on every endpoint can get ugly really fast,
6:19
imagine if you have 100 endpoints on your API
6:22
and you actually want to implement
6:25
a different authentication schema for every endpoint,
6:28
it is not going to look pretty, and also not easy to maintain.
6:31
There should be better ways to handle authentication.
6:35
And in fact, there are.
6:37
Let's see at one of them, let's go back to our basic logic here,
6:44
what we can do is go to our settings file
6:49
and import basic authentication class,
6:59
and then, within the endpoint definition,
7:06
we can set the authentication class to be used for the single endpoint.
7:11
So if we do this, only the people endpoint will use this class,
7:16
let's go back to the app and get read of the global authentication class.
7:23
So what we are doing here is tell Eve,
7:27
look we have no authentication for the endpoints
7:31
no global authentication for the endpoints,
7:34
but, we do have authentication schema and class to be used
7:39
whenever a client requests an access to the people endpoint,
7:44
let me go and illustrate that with an example,
7:49
now that the server has restarted,
7:51
if we try to hit the people endpoint with a get request
7:54
we should get please provide proper credential message,
7:59
that's right, let me fix the username and try again.
8:04
Boom, it works.
8:06
But, if I go to the works endpoint
8:08
which should have no authentication at all, it works.
8:13
So this way you can write custom classes,
8:17
one class for every endpoint, or of course,
8:21
you might have the same class shared between different endpoints,
8:24
but the point is that you keep your classes super simple,
8:28
you only implement the logic needed by the class,
8:31
this could be called something like people authentication,
8:34
this is much better, isn't it?
8:37
There is a lot more about authentication and authorization in Eve,
8:43
I really invite you to go and visit the
8:47
authentication and authorization documentation on the website
8:51
we only touched the basic features basically,
8:55
just know that you can also implement token based authentication,
8:59
HMAC authentication which is what Amazon is doing with S3 service
9:04
and you also have a role based access control,
9:07
user restricted resource access, auth driven data based access,
9:12
auth 2 integration, go and have a look at it
9:16
so you can better access what you really need for your specific use case.