Python for Entrepreneurs Transcripts
Chapter: User accounts and identity
Lecture: Concepts: logging in
0:03 Let's review how we created a tamper-proof cookie to track the logged in user on our web app.
0:09 So we created our cookie auth module in the infrastructure folder or submodule, and we are going to pass the request and the user id,
0:18 so the request lets us get access back to the browser to set the cookie, the user id is the value that we want to set,
0:24 now we could just store the user id straight in there and if this was a number, this would be a super bad idea, because it's really crazily generated,
0:31 it's this huge 32-character alphanumeric string, it's still pretty hard to guess, but we are going to go a little farther when we do this
0:42 get salted cookie value thing so that we actually make it even harder to guess, we basically make it tamper-proof.
0:48 So here we make the cookie tamper-proof with a slated hash that lets us check the value, now, we also saw that for whatever reason in Pyramid,
0:56 we need to use a callback instead of directly setting the cookie on the response, so we are going to set the response callback here
1:03 and this function has to take a request and response but then you can see we are using a closure to actually pass the request and response along
1:11 as well as the value. And this technique works on any cookie, this is not,
1:17 this really has nothing to do with authentication other than you want to be really careful
1:21 that people can't temper with it and guess user id, so we did this salt thing,
1:25 but if you want to store just random cookies, you can have a number of them and this is how you would do it.
1:30 There is a few pieces you didn't see in the previous screen, so to get slated cookie here,
1:34 we can just say we want to return some text plus the original string, maybe plus some more text, this could be huge, it could be one character,
1:42 make it up randomly, you could have it based on some other part of the user like their email address, but then again, if their email address changes-
1:49 do whatever you think makes sense but you want to have some sort of verification that the cookie is not tampered with, and then,
1:57 when we call that __add_auth_cookie_callback, you can see we just say response.set_cookie, we give it the name,
2:02 the value, and the maximum age, so this cookie is going to expire in 30 days, or if they call "log out" we are going to delete it immediately.
2:11 Finally, what fun is it to set a cookie if you don't ever read it back, so here when we do our request, we want to know "is somebody logged in?",
2:19 we are going to first see if that cookie exists in the request that is coming from the browser,
2:25 was that set in a previous request in that particular browser. So we are going to say "is the auth cookie name in request?" If it's not,
2:33 then we want to return None because there is no id we are ever going to find
2:36 if we don't have the cookie, then we are going to get its value super easy, request.cookies, give it the name of the cookie, this is just a dictionary,
2:43 we get the string value back, and the way we constructed it was we put in the value and then a hash, that would let us know
2:50 whether or not that value is even messed with. So then we just do a little bit of work to split it apart, to recompute the hash
2:56 and make sure that it wasn't tempered with, if we are happy that nobody messed with it, that it's the same thing we sent down from the server,
3:03 then we will return the actual value we care about, the user id.