Metadata-Version: 2.1
Name: more.basicauth
Version: 0.5
Summary: Basic Auth Identity Policy for Morepath
Home-page: https://github.com/morepath/more.basicauth
Author: Morepath developers
Author-email: morepath@googlegroups.com
License: BSD
Description: more.basicauth: HTTP Basic Authentication integration for Morepath
        ==================================================================
        
        Overview
        --------
        
        This is a Morepath_ authentication extension for HTTP Basic Authentication.
        It was originally part of Morepath, but since basic auth is almost always what
        you don't want we decide to move it to a separate extension.
        
        Some Pros and Cons:
        
        *  This argues against basic auth:
           http://adrianotto.com/2013/02/why-http-basic-auth-is-bad
        *  But this argues *for* basic auth:
           https://www.rdegges.com/2015/why-i-love-basic-auth
        
        Alternative authentication extensions for morepath are:
        
        * `more.jwtauth`_:
          A token based authentication sytem using JSON Web Token (JWT).
        * `more.isdangerous`_:
          A cookie based identity policy using isdangerous.
        
        .. _Morepath: http://morepath.readthedocs.org
        .. _more.jwtauth: https://github.com/morepath/more.jwtauth
        .. _more.isdangerous: https://github.com/morepath/more.itsdangerous
        
        
        Introduction
        ------------
        
        Basic authentication is special in a number of ways:
        
        * The HTTP response status that triggers basic auth is Unauthorized
          (401), not the default Forbidden (403). This needs to be sent back
          to the browser each time login fails, so that the browser asks the
          user for a username and a password.
        
        * The username and password combination is sent to the server by the
          browser automatically; there is no need to set some type of cookie
          on the response. Therefore ``remember_identity`` does nothing.
        
        * With basic auth, there is no universal way for a web application to
          trigger a log out. Therefore ``forget_identity`` does nothing
          either.
        
        To trigger a ``401`` status when time Morepath raises a ``403`` status,
        we can use an exception view, something like this::
        
          from webob.exc import HTTPForbidden
        
          @App.view(model=HTTPForbidden)
          def make_unauthorized(self, request):
              @request.after
              def set_status_code(response):
                  response.status_code = 401
              return "Unauthorized"
        
        For the login code, as ``remember_identity`` is not an option,
        you can just check the password::
        
            # check whether user has password, using password hash and database
            if not user_has_password(username, password):
                return "Sorry, login failed" # or something more fancy
        
        Note that ``user_has_password`` stands in for whatever method you use
        to check a user's password; it's not part of Morepath.
        
        
        Usage
        -----
        
        Here a full example for a basic setup::
        
            import morepath
            from more.basicauth import BasicAuthIdentityPolicy
            from webob.exc import HTTPForbidden
        
        
            class App(morepath.App):
                pass
        
        
            @App.identity_policy()
            def get_identity_policy():
                return BasicAuthIdentityPolicy()
        
        
            @App.verify_identity()
            def verify_identity(identity):
                # Do the password validation.
                return user_has_password(identity.username, identity.password)
        
        
            @App.view(model=HTTPForbidden)
            def make_unauthorized(self, request):
                @request.after
                def set_status_code(response):
                    response.status_code = 401
        
                return "Unauthorized"
        
        
        The login form could look like::
        
            from webob.exc import HTTPProxyAuthenticationRequired
        
        
            class Login:
                pass
        
        
            @App.path(model=Login, path='login')
            def get_login():
                return Login()
        
        
            @App.view(model=Login, request_method='POST')
            def login(self, request):
                username = request.POST['username']
                password = request.POST['password']
        
                # Do the password validation.
                if not user_has_password(username, password):
                    raise HTTPProxyAuthenticationRequired('Invalid username/password')
        
                return "You're logged in."  # or something more fancy
        
        
        Requirements
        ------------
        
        -  Python (3.4, 3.5, 3.7, 3.8)
        -  morepath (>= 0.19)
        
        
        CHANGES
        *******
        
        0.5 (2020-04-26)
        ================
        
        - **Removed**: Removed support for Python 2.
          
          You have to upgrade to Python 3 if you want to use this version.
        
        - Dropped support for Python 3.3 and added support for Python 3.5, 3.6, 3.7 and PyPy 3.6.
        
        - Make Python 3.7 the default testing environment.
        
        - Add integration for the Black code formatter.
        
        
        0.4 (2016-10-21)
        ================
        
        - We now use virtualenv and pip instead of buildout to set up the
          development environment. A development section has been
          added to the README accordingly.
        
        
        0.3 (2016-07-20)
        ================
        
        - Upgrade to Morepath 0.15.
        - Add testenv for Python 3.5 and make it the default test environment.
        - Change author to "Morepath developers".
        - Clean up classifiers.
        
        
        0.2 (2016-04-25)
        ================
        
        - Upgrade to Morepath 0.14.
        - Some minor improvements to the buildout setup workflow.
        
        
        0.1 (2016-04-16)
        ================
        
        - Extract Basic Auth from Morepath.
        - Return NO_IDENTITY instead of None, if user cannot identify.
        - Replace class 'app' with 'App' in tests.
        - Add a login test.
        - Enhance documentation.
        
Keywords: morepath basicauth identity authentication
Platform: UNKNOWN
Classifier: Intended Audience :: Developers
Classifier: License :: OSI Approved :: BSD License
Classifier: Environment :: Web Environment
Classifier: Topic :: Software Development :: Libraries :: Application Frameworks
Classifier: Topic :: Internet :: WWW/HTTP :: WSGI
Classifier: Programming Language :: Python :: 3.4
Classifier: Programming Language :: Python :: 3.5
Classifier: Programming Language :: Python :: 3.6
Classifier: Programming Language :: Python :: 3.7
Classifier: Programming Language :: Python :: 3.8
Classifier: Programming Language :: Python :: Implementation :: PyPy
Classifier: Development Status :: 5 - Production/Stable
Provides-Extra: test
Provides-Extra: pep8
Provides-Extra: coverage
