Metadata-Version: 2.1
Name: more.basicauth
Version: 0.5
Summary: Basic Auth Identity Policy for Morepath
Home-page: https://github.com/morepath/more.basicauth
Author: Morepath developers
Author-email: morepath@googlegroups.com
License: BSD
Keywords: morepath basicauth identity authentication
Platform: UNKNOWN
Classifier: Intended Audience :: Developers
Classifier: License :: OSI Approved :: BSD License
Classifier: Environment :: Web Environment
Classifier: Topic :: Software Development :: Libraries :: Application Frameworks
Classifier: Topic :: Internet :: WWW/HTTP :: WSGI
Classifier: Programming Language :: Python :: 3.4
Classifier: Programming Language :: Python :: 3.5
Classifier: Programming Language :: Python :: 3.6
Classifier: Programming Language :: Python :: 3.7
Classifier: Programming Language :: Python :: 3.8
Classifier: Programming Language :: Python :: Implementation :: PyPy
Classifier: Development Status :: 5 - Production/Stable
Requires-Dist: morepath (>=0.19)
Provides-Extra: coverage
Requires-Dist: pytest-cov ; extra == 'coverage'
Provides-Extra: pep8
Requires-Dist: flake8 ; extra == 'pep8'
Requires-Dist: black ; extra == 'pep8'
Provides-Extra: test
Requires-Dist: pytest (>=2.9.1) ; extra == 'test'
Requires-Dist: pytest-remove-stale-bytecode ; extra == 'test'
Requires-Dist: WebTest (>=2.0.14) ; extra == 'test'

more.basicauth: HTTP Basic Authentication integration for Morepath
==================================================================

Overview
--------

This is a Morepath_ authentication extension for HTTP Basic Authentication.
It was originally part of Morepath, but since basic auth is almost always what
you don't want we decide to move it to a separate extension.

Some Pros and Cons:

*  This argues against basic auth:
   http://adrianotto.com/2013/02/why-http-basic-auth-is-bad
*  But this argues *for* basic auth:
   https://www.rdegges.com/2015/why-i-love-basic-auth

Alternative authentication extensions for morepath are:

* `more.jwtauth`_:
  A token based authentication sytem using JSON Web Token (JWT).
* `more.isdangerous`_:
  A cookie based identity policy using isdangerous.

.. _Morepath: http://morepath.readthedocs.org
.. _more.jwtauth: https://github.com/morepath/more.jwtauth
.. _more.isdangerous: https://github.com/morepath/more.itsdangerous


Introduction
------------

Basic authentication is special in a number of ways:

* The HTTP response status that triggers basic auth is Unauthorized
  (401), not the default Forbidden (403). This needs to be sent back
  to the browser each time login fails, so that the browser asks the
  user for a username and a password.

* The username and password combination is sent to the server by the
  browser automatically; there is no need to set some type of cookie
  on the response. Therefore ``remember_identity`` does nothing.

* With basic auth, there is no universal way for a web application to
  trigger a log out. Therefore ``forget_identity`` does nothing
  either.

To trigger a ``401`` status when time Morepath raises a ``403`` status,
we can use an exception view, something like this::

  from webob.exc import HTTPForbidden

  @App.view(model=HTTPForbidden)
  def make_unauthorized(self, request):
      @request.after
      def set_status_code(response):
          response.status_code = 401
      return "Unauthorized"

For the login code, as ``remember_identity`` is not an option,
you can just check the password::

    # check whether user has password, using password hash and database
    if not user_has_password(username, password):
        return "Sorry, login failed" # or something more fancy

Note that ``user_has_password`` stands in for whatever method you use
to check a user's password; it's not part of Morepath.


Usage
-----

Here a full example for a basic setup::

    import morepath
    from more.basicauth import BasicAuthIdentityPolicy
    from webob.exc import HTTPForbidden


    class App(morepath.App):
        pass


    @App.identity_policy()
    def get_identity_policy():
        return BasicAuthIdentityPolicy()


    @App.verify_identity()
    def verify_identity(identity):
        # Do the password validation.
        return user_has_password(identity.username, identity.password)


    @App.view(model=HTTPForbidden)
    def make_unauthorized(self, request):
        @request.after
        def set_status_code(response):
            response.status_code = 401

        return "Unauthorized"


The login form could look like::

    from webob.exc import HTTPProxyAuthenticationRequired


    class Login:
        pass


    @App.path(model=Login, path='login')
    def get_login():
        return Login()


    @App.view(model=Login, request_method='POST')
    def login(self, request):
        username = request.POST['username']
        password = request.POST['password']

        # Do the password validation.
        if not user_has_password(username, password):
            raise HTTPProxyAuthenticationRequired('Invalid username/password')

        return "You're logged in."  # or something more fancy


Requirements
------------

-  Python (3.4, 3.5, 3.7, 3.8)
-  morepath (>= 0.19)


CHANGES
*******

0.5 (2020-04-26)
================

- **Removed**: Removed support for Python 2.

  You have to upgrade to Python 3 if you want to use this version.

- Dropped support for Python 3.3 and added support for Python 3.5, 3.6, 3.7 and PyPy 3.6.

- Make Python 3.7 the default testing environment.

- Add integration for the Black code formatter.


0.4 (2016-10-21)
================

- We now use virtualenv and pip instead of buildout to set up the
  development environment. A development section has been
  added to the README accordingly.


0.3 (2016-07-20)
================

- Upgrade to Morepath 0.15.
- Add testenv for Python 3.5 and make it the default test environment.
- Change author to "Morepath developers".
- Clean up classifiers.


0.2 (2016-04-25)
================

- Upgrade to Morepath 0.14.
- Some minor improvements to the buildout setup workflow.


0.1 (2016-04-16)
================

- Extract Basic Auth from Morepath.
- Return NO_IDENTITY instead of None, if user cannot identify.
- Replace class 'app' with 'App' in tests.
- Add a login test.
- Enhance documentation.


