Recap

• A YouTube for poetry, API first
• We can retrieve and modify poems
• We can list and search for poems

Security Goals

• Anyone can find and read poems (without logging in)
• Anyone can add a poem, but we must know who they are
• You can only modify or delete your own poems

Architecture

Options

• Store and manage a list of user credentials:
  • HTTP Basic Authentication
  • HTTP Digest Authentication
  • Security token in cookie
• Get someone else to do it:
  • OpenID
  • OAuth 2.0

Options

• Store and manage a list of user credentials:
  • HTTP Basic Authentication
  • HTTP Digest Authentication
  • Security token in cookie
• Get someone else to do it:
  • OpenID
  • OAuth 2.0

HTTP Basic

• Every request contains username and password
• They are passed in cleartext
• If all this is inside an HTTPS session, it's reasonable
• Easy to test in browser
• (but hard to "log out")

HTTP Basic

Easy to use on command line too:

$ curl \
    --data '{"title":"Foo", ...' \
    http://localhost:8080\
    /api/v1/poems
    --user 'username:pass'

HTTP Digest

• Every request contains username and credentials
• Password not passed in cleartext
• Provisions to avoid replay attacks
• Easy to test in browser
• (but hard to "log out")

Implementation

Implementation

def GET( self, urlid ):
    user = authenticate_user(
        self.db )
    ...

Implementation

def authenticate_user( db ):
    auth = web.ctx.env.get(
        "HTTP_AUTHORIZATION" )
    if auth is None:
        return None
    user, pw = extract_user_pw( auth )
    ...

Implementation

def extract_user_pw( auth ):
    auth = re.sub(
        "^Basic ", "", auth )

    auth = base64.decodestring( auth )

    return auth.split( ":" )

Implementation

def authenticate_user( db ):
    ...
    if (    user in known_users
        and known_users[user] == pw
    ):
        return user
    else:
        raise unauthorized()

Implementation

def POST( self, urlid ):
    user = require_authenticated_user(
        self.db )
    ...

Implementation

def require_authenticated_user( db ):
    user = authenticate_user( db )
    if user is None:
        raise unathorized()
    return user

Implementation

Implementation

def is_valid_user( db, user ):
    return ( user is not None )

def amendpoem( ..., user ):
    if not is_valid_user( db, user ):
        raise InvalidRequest( 401 )
    ...

Implementation

def amendpoem( ..., user ):
    ...
    if doc["contributor"] != user:
        raise InvalidRequest( 403 )

More info

Videos	youtube.com/user/ajbalaam
Twitter	@andybalaam
Blog	artificialworlds.net/blog
Projects	artificialworlds.net