|
11 | 11 |
|
12 | 12 | First of all, what is *aiohttp_security* about? |
13 | 13 |
|
14 | | -It is a set of public API functions and standard for implementation details. |
| 14 | +*aiohttp_security* is a set of public API functions as well as a reference standard for implementation details for securing access to assets served by a wsgi server. |
| 15 | +Assets are secured using authentication and authorization as explained below. *aiohttp_security* is part of the *aio_libs* project which takes advantage of asynchronous |
| 16 | +processing using Python's asyncio library. |
15 | 17 |
|
16 | 18 |
|
17 | 19 | Public API |
18 | 20 | ========== |
19 | 21 |
|
20 | | -API is implementation agnostic, all client code should not call policy |
21 | | -code (see below) directly but use API only. |
| 22 | +The API is agnostic to the low level implementation details such that all client code only needs to implement the endpoints as provided by the API (instead of calling policy |
| 23 | +code directly (see explanation below)). |
| 24 | + |
| 25 | +Via the API an application can: |
| 26 | + |
| 27 | +(i) remember a user in a local session (:func:`remember`), |
| 28 | +(ii) forget a user in a local session (:func:`forget`), |
| 29 | +(iii) retrieve the :term:`userid` (:func:`authorized_userid`) of a remembered user from an :term:`identity` (discussed below), and |
| 30 | +(iv) check the :term:`permission` of a remembered user (:func:`permits`). |
| 31 | + |
| 32 | +The library internals are built on top of two concepts: |
| 33 | + |
| 34 | +1) :term:`authentication`, and |
| 35 | +2) :term:`authorization`. |
| 36 | + |
| 37 | +There are abstract base classes for both types as well as several pre-built implementations |
| 38 | +that are shipped with the library. However, the end user is free to build their own implementations. |
| 39 | +The library comes with two pre-built identity policies; one that uses cookies, and one that uses sessions [#f1]_. |
| 40 | +It is envisioned that in most use cases developers will use one of the provided identity policies (Cookie or Session) and |
| 41 | +implement their own authorization policy. |
| 42 | + |
| 43 | +The workflow is as follows: |
| 44 | + |
| 45 | +1) User is authenticated. This has to be implemented by the developer. |
| 46 | +2) Once user is authenticated an identity string has to be created for that user. This has to be implemented by the developer. |
| 47 | +3) The identity string is passed to the Identity Policy's remember method and the user is now remembered (Cookie or Session if using built-in). *Only once a user is remembered can the other API methods:* :func:`permits`, :func:`forget`, *and* :func:`authorized_userid` *be invoked* . |
| 48 | +4) If the user tries to access a restricted asset the :func:`permits` method is called. Usually assets are protected using the **@aiohttp_security.has_permission(**\ *permission*\ **)** decorator. This should return True if permission is granted. |
| 49 | + |
| 50 | + The :func:`permits` method is implemented by the developer as part of the :class:`AbstractAuthorizationPolicy` and passed to the application at runtime via setup. |
| 51 | + In addition a :func:`@aiohttp_security.login_required decorator` also exists that requires no permissions (i.e. doesn't call :func:`permits` method) but only requires that the user is remembered (i.e. authenticated/logged in). |
22 | 52 |
|
23 | | -Via API application can remember/forget user in local session |
24 | | -(:func:`remember`/:func:`forget`), retrieve :term:`userid` |
25 | | -(:func:`authorized_userid`) and check :term:`permission` for |
26 | | -remembered user (:func:`permits`). |
27 | 53 |
|
28 | | -The library internals are built on top of two policies: |
29 | | -:term:`authentication` and :term:`authorization`. There are abstract |
30 | | -base classes for both concepts as well as several implementations |
31 | | -shipped with the library. End user is free to build own implemetations |
32 | | -if needed. |
33 | 54 |
|
34 | 55 |
|
35 | 56 | Authentication |
36 | 57 | ============== |
| 58 | +Authentication is the process where a user's identity is verified. It confirms who the user is. This is traditionally done using a user name and password (note: this is not the only way). |
| 59 | +A authenticated user has no access rights, rather an authenticated user merely confirms that the user exists and that the user is who they say they are. |
| 60 | + |
| 61 | +In *aiohttp_security* the developer is responsible for their own authentication mechanism. *aiohttp_security* only requires that the authentication result in a identity string which |
| 62 | +corresponds to a user's id in the underlying system. |
| 63 | + |
| 64 | + *Note:* :term:`identity` is a string that is shared between the browser and the server. Therefore it is recommended that a random string such as a uuid or hash is used rather than things like a database primary key, user login/email, etc. |
| 65 | + |
| 66 | +Identity Policy |
| 67 | +============== |
| 68 | + |
| 69 | +Once a user is authenticated the *aiohttp_security* API is invoked for storing, retrieving, and removing a user's :term:`identity`. This is accommplished via AbstractIdentityPolicy's :func:`remember`, :func:`identify`, and :func:`forget` methods. The Identity Policy is therefore the mechanism by which a authenticated user is persisted in the system. |
| 70 | + |
| 71 | +*aiohttp_security* has two built in identity policy's for this purpose. :term:`CookiesIdentityPolicy` that uses cookies and :term:`SessionIdentityPolicy` that uses sessions via :term:`aiohttp.session` library. |
| 72 | + |
| 73 | +Authorization |
| 74 | +============== |
| 75 | + |
| 76 | +Once a user is authenticated (see above) it means that the user has an :term:`identity`. This :term:`identity` can now be used for checking access rights or :term:`permission` using a :term:`authorization` policy. |
| 77 | +The authorization policy's :func:`permits()` method is used for this purpose. |
| 78 | + |
37 | 79 |
|
38 | | -Actions related to retrieving, storing and removing user's |
39 | | -:term:`identity`. |
| 80 | +When :class:`aiohttp.web.Request` has an :term:`identity` it means the user has been authenticated and therefore has an :term:`identity` that can be checked by the :term:`authorization` policy. |
40 | 81 |
|
41 | | -Authenticated user has no access rights, the system even has no |
42 | | -knowledge is there the user still registered in DB. |
| 82 | + As noted above, :term:`identity` is a string that is shared between the browser and the server. Therefore it is recommended that a random string such as a uuid or hash is used rather than things like a database primary key, user login/email, etc. |
43 | 83 |
|
44 | | -If :class:`aiohttp.web.Request` has an :term:`identity` it means the user has |
45 | | -some ID that should be checked by :term:`authorization` policy. |
46 | 84 |
|
47 | | -:term:`identity` is a string shared between browser and server. |
48 | | -Thus it's not supposed to be database primary key, user login/email etc. |
49 | | -Random string like uuid or hash is better choice. |
| 85 | +.. rubric:: Footnotes |
| 86 | +.. [#f1] jwt - json web tokens in the works |
0 commit comments