Eve: Building RESTful APIs with MongoDB and Flask Transcripts
Chapter: Fine-tuning your REST service
Lecture: Securing the service

Login or purchase this course to watch this video and the rest of the course contents.
0:00 Authentication is the mechanism
0:02 by which systems securely identify their users.
0:06 Eve supports several authentication schemes,
0:10 like basic authentication, token authentication, and also HMAC authentication.
0:15 Authorization on the other hand is the mechanism
0:18 by which a system determines what level of access
0:21 a particular authenticated user should have
0:24 to access resources controlled by the system.
0:27 In Eve, you can restrict access to all API endpoints or just a few of them,
0:31 you can protect some http verbs while leaving others open.
0:36 You really have a lot of options.
0:39 Security is one of those areas where customization is really important,
0:44 this is why you are provided with a handful of base authentication classes
0:49 from which you inherit in order to build your own authorization logic.
0:54 Let's see how it's done.
0:57 Yes, in order to get authentication going on our service,
1:01 we need to get back to coding, which is probably good news
1:05 after all this time spent on a boring settings file.
1:08 First, we need to import from the eve.auth name space
1:15 and what we want to import is the BasicAuth class.
1:19 Once we have the class imported, we need to inherit from it.
1:28 Here it is, as you can see, I created my own class
1:33 which is a subclass of the BasicAuth, class provided by the framework.
1:38 And the only method I need to overwrite is check auth,
1:42 it gets a number of arguments, the most interesting ones
1:47 are the first two, username and password,
1:50 then we have a few more, allowed roles,
1:53 which is used when you do role based access control
1:57 something we won't cover in this course,
1:59 resource is the name of the resource
2:02 or endpoint that the client is hitting
2:04 and the method is the http method being performed with the request.
2:10 So, every time a request comes to the server,
2:14 the check auth method is executed, and within the method,
2:20 we implement the custom logic we need to authenticate the user.
2:24 now in this example, it is super simple, we are just making sure
2:27 that the username is admin and the password is secret.
2:30 Now that the authentication logic has been implemented,
2:35 all we need to do is pass our class to the Eve instance
2:40 and we do that right here where we are passing the custom validator
2:44 we can also set the auth argument which defaults to none,
2:49 so no authentication, to our custom authentication class.
2:54 We save, go back to Postman and try to access the people endpoint
3:01 which has been freely available, until now,
3:06 but now we're getting a 401 error, not authorized please provide proper credentials.
3:14 Now, if you go to the auth tab here in Postman,
3:17 we can pick basic authentication and pass our username,
3:23 let's try with secret and password which should not be right,
3:29 because we are testing for admin and secret as password.
3:33 We can preview the request, if we go back to the headers,
3:37 we see that authorization header has been added to our request
3:41 and it has our username and password encoded,
3:45 let's try and send the request over, we're still getting an error.
3:50 That's right because we got the password wrong,
3:54 let's try with secret and send a request over, and this time it works.
4:01 So now all the endpoints are protected by our custom class and custom logic,
4:10 let's try works, of course, we get an access,
4:15 but if we go with no auth, again, we get an error
4:21 whereas if we go back to basic authentication, it works.
4:27 Okay, let's go back to the editor and review what we've done so far.
4:32 We imported the basic authentication class from the framework,
4:36 then, we inherited from it in our own custom class
4:40 and we overwrote the check auth method
4:44 it is receiving a number of arguments,
4:46 and we use the username and password from the request
4:48 to make sure that they match our expectations.
4:51 If they do, we return a true value, otherwise, we return a false value or nothing.
4:57 That's it, we then pass our class to the Eve instance.
5:01 Now our authentication logic is very simple,
5:06 we are protecting all the endpoints with the same logic,
5:09 but because we are receiving resource,
5:11 which is the endpoint and the method,
5:14 we can actually be more fine grained if we need,
5:18 for example, we might have a different logic if the endpoint is people
5:24 we might do some kind of check
5:28 whereas for any other endpoint we use the general logic,
5:36 the same might be true with the method,
5:53 so if it is a write operation, post or edit, we do some kind of different check,
5:58 maybe only some super user is allowed to write,
6:03 let me also add put and delete, you get the point.
6:13 Now branching on every endpoint can get ugly really fast,
6:19 imagine if you have 100 endpoints on your API
6:22 and you actually want to implement
6:25 a different authentication schema for every endpoint,
6:28 it is not going to look pretty, and also not easy to maintain.
6:31 There should be better ways to handle authentication.
6:35 And in fact, there are.
6:37 Let's see at one of them, let's go back to our basic logic here,
6:44 what we can do is go to our settings file
6:49 and import basic authentication class,
6:59 and then, within the endpoint definition,
7:06 we can set the authentication class to be used for the single endpoint.
7:11 So if we do this, only the people endpoint will use this class,
7:16 let's go back to the app and get read of the global authentication class.
7:23 So what we are doing here is tell Eve,
7:27 look we have no authentication for the endpoints
7:31 no global authentication for the endpoints,
7:34 but, we do have authentication schema and class to be used
7:39 whenever a client requests an access to the people endpoint,
7:44 let me go and illustrate that with an example,
7:49 now that the server has restarted,
7:51 if we try to hit the people endpoint with a get request
7:54 we should get please provide proper credential message,
7:59 that's right, let me fix the username and try again.
8:04 Boom, it works.
8:06 But, if I go to the works endpoint
8:08 which should have no authentication at all, it works.
8:13 So this way you can write custom classes,
8:17 one class for every endpoint, or of course,
8:21 you might have the same class shared between different endpoints,
8:24 but the point is that you keep your classes super simple,
8:28 you only implement the logic needed by the class,
8:31 this could be called something like people authentication,
8:34 this is much better, isn't it?
8:37 There is a lot more about authentication and authorization in Eve,
8:43 I really invite you to go and visit the
8:47 authentication and authorization documentation on the website
8:51 we only touched the basic features basically,
8:55 just know that you can also implement token based authentication,
8:59 HMAC authentication which is what Amazon is doing with S3 service
9:04 and you also have a role based access control,
9:07 user restricted resource access, auth driven data based access,
9:12 auth 2 integration, go and have a look at it
9:16 so you can better access what you really need for your specific use case.