Python for Entrepreneurs Transcripts
Chapter: User accounts and identity
Lecture: Demo: Reading the authentication cookie

Login or purchase this course to watch this video and the rest of the course contents.
0:01 Now that we've seen we can successfully set the auth cookie,
0:04 we can read it back and use that to check whether or not
0:07 we should consider the person logged in.
0:09 So let's run another function down here in our cookie_auth module,
0:13 called get_user_id_via_auth_cookie.
0:16 And we're only going to need the request for this,
0:22 so what we're going to do is, we're going to read this back in,
0:24 now, we are not quite there, we don't quite want to leave this one alone here,
0:29 we are going to make some changes but let's go ahead
0:32 and keep working with this for just a minute.
0:34 What we want to do is we want to read in this cookie here
0:37 so we are going to startup by just checking to see whether or not there is a cookie.
0:43 So we are going to see, we'll ask the question,
0:45 is the auth cookie in the dictionary of this thing called cookies,
0:49 if it's not, which is what we are going to check for,
0:53 we are going to return None, so nope, there is nobody logged in here, no cookie.
0:58 Great. But if it is here, then we can get its value.
1:04 So remember that string we generated up here, we got it back,
1:08 but want we want to do is we want to verify this thing and sort of use
1:13 this check and again, I am going to change what we are hashing up here
1:16 before we're done, so we are able to basically treat this as a string now
1:20 and do whatever it is we want to verify, so let's say we have parts
1:25 is going to be val.split and we want to split on that colon we added,
1:29 and if we'll say the parts. the length of the parts
1:33 is not equal to two, something went wrong.
1:37 So we are going to return None, right, so there is something wrong with this login cookie here.
1:42 So then we have the user_id is going to be parts[0]
1:48 and the hash value it's going to be parts[1].
1:51 So we just want to check that if we rerun this procedure,
1:55 everything is going to come out the same as we expected
1:58 so let's go over here, and the procedure was
2:01 that we would come over and hash the user id, which look,
2:05 they called that the same,
2:07 and then we want to give this hash value check and then we want to say "if not...",
2:11 "if hash value is not equal to hash value check" then we're going to return None
2:16 but we're also going to do a little message here, so we can keep track
2:20 of what is going on, we'll say "Warning: Hash mismatch, invalid cookie value",
2:27 something like this, OK.
2:30 Alright, but if they do check, there was no sort of sticking user ids
2:34 in the cookies and hoping that we can just log in with them,
2:36 instead we are going to get this back and we can just return user id, OK,
2:42 so this is pretty solid, we should be able to use this,
2:45 let's go over to our account controller, when we set this,
2:49 this is going to set it but other requests
2:51 like maybe this one for the account page,
2:54 we don't want unauthenticated people go to an account,
2:57 we want to make sure they are logged in.
2:59 We could add a function here to work directly with that cookie auth
3:02 but it turns out maybe the albums controller for purchases needs to know
3:06 who is logged in, the home controller all sorts of things,
3:09 the whole app needs to know. So we can go to our base controller
3:12 and give it some properties, like we have a property there,
3:15 we'll give it another one and this one is going to be logged in user id.
3:20 And here we are going to use the cookie also, let me import it up here like so.
3:29 So down here, we'll just return cookie_auth.get_user_via_auth_cookie(self.request).
3:39 Alright, so that will let us ask questions like this, if we go over here,
3:44 we'll say "if not self.logged_in_user_id, that's a property so if we don't have one,
3:50 we'll print "Cannot view account page, must log in",
3:55 and then we'll do a self.redirect to /account/signin, right,
4:05 so we'll have them sign in and if there is no problem, if they are authenticated,
4:08 then we just display this basically empty page for now.
4:12 Alright, so let's try this.
4:15 So if we go over here, and we go to this page,
4:18 let's get rid of this thing, you can see we have the cookie right now,
4:21 so if I hit this it should stay, great, everything worked,
4:24 now, if I take the same thing, the same page and try to view it
4:28 in a private browsing session, let's go here, not signed in,
4:33 notice that we were not signed in, and it redirect us over here.
4:38 Right, this one it says refresh it all we want, we are staying signed in,
4:42 go over to this one and obviously if we try to go to account,
4:46 we are signing in, we could sign in, and now it will let us in.
4:50 Alright, so you can see that we're signing in we're still not managing this
4:53 but let's come back and do that in a separate little section here.