Python for Entrepreneurs Transcripts
Chapter: User accounts and identity
Lecture: Demo: Reading the authentication cookie

Login or purchase this course to watch this video and the rest of the course contents.
0:01 Now that we've seen we can successfully set the auth cookie, we can read it back and use that to check whether or not
0:08 we should consider the person logged in. So let's run another function down here in our cookie_auth module, called get_user_id_via_auth_cookie.
0:17 And we're only going to need the request for this, so what we're going to do is, we're going to read this back in,
0:25 now, we are not quite there, we don't quite want to leave this one alone here, we are going to make some changes but let's go ahead
0:33 and keep working with this for just a minute. What we want to do is we want to read in this cookie here
0:38 so we are going to startup by just checking to see whether or not there is a cookie. So we are going to see, we'll ask the question,
0:46 is the auth cookie in the dictionary of this thing called cookies, if it's not, which is what we are going to check for,
0:54 we are going to return None, so nope, there is nobody logged in here, no cookie. Great. But if it is here, then we can get its value.
1:05 So remember that string we generated up here, we got it back, but want we want to do is we want to verify this thing and sort of use
1:14 this check and again, I am going to change what we are hashing up here before we're done, so we are able to basically treat this as a string now
1:21 and do whatever it is we want to verify, so let's say we have parts is going to be val.split and we want to split on that colon we added,
1:30 and if we'll say the parts. the length of the parts is not equal to two, something went wrong.
1:38 So we are going to return None, right, so there is something wrong with this login cookie here. So then we have the user_id is going to be parts[0]
1:49 and the hash value it's going to be parts[1]. So we just want to check that if we rerun this procedure,
1:56 everything is going to come out the same as we expected so let's go over here, and the procedure was
2:02 that we would come over and hash the user id, which look, they called that the same,
2:08 and then we want to give this hash value check and then we want to say "if not...",
2:12 "if hash value is not equal to hash value check" then we're going to return None but we're also going to do a little message here, so we can keep track
2:21 of what is going on, we'll say "Warning: Hash mismatch, invalid cookie value", something like this, OK.
2:31 Alright, but if they do check, there was no sort of sticking user ids in the cookies and hoping that we can just log in with them,
2:37 instead we are going to get this back and we can just return user id, OK, so this is pretty solid, we should be able to use this,
2:46 let's go over to our account controller, when we set this, this is going to set it but other requests like maybe this one for the account page,
2:55 we don't want unauthenticated people go to an account, we want to make sure they are logged in.
3:00 We could add a function here to work directly with that cookie auth but it turns out maybe the albums controller for purchases needs to know
3:07 who is logged in, the home controller all sorts of things, the whole app needs to know. So we can go to our base controller
3:13 and give it some properties, like we have a property there, we'll give it another one and this one is going to be logged in user id.
3:21 And here we are going to use the cookie also, let me import it up here like so.
3:30 So down here, we'll just return cookie_auth.get_user_via_auth_cookie(self.request).
3:40 Alright, so that will let us ask questions like this, if we go over here,
3:45 we'll say "if not self.logged_in_user_id, that's a property so if we don't have one, we'll print "Cannot view account page, must log in",
3:56 and then we'll do a self.redirect to /account/signin, right, so we'll have them sign in and if there is no problem, if they are authenticated,
4:09 then we just display this basically empty page for now. Alright, so let's try this. So if we go over here, and we go to this page,
4:19 let's get rid of this thing, you can see we have the cookie right now, so if I hit this it should stay, great, everything worked,
4:25 now, if I take the same thing, the same page and try to view it in a private browsing session, let's go here, not signed in,
4:34 notice that we were not signed in, and it redirect us over here. Right, this one it says refresh it all we want, we are staying signed in,
4:43 go over to this one and obviously if we try to go to account, we are signing in, we could sign in, and now it will let us in.
4:51 Alright, so you can see that we're signing in we're still not managing this but let's come back and do that in a separate little section here.

Talk Python's Mastodon Michael Kennedy's Mastodon