Extension to allow paswordless login to the CKAN API
Project description
CKAN Passwordless API
Extension to allow paswordless login to the CKAN API.
Documentation: https://envidat.gitlab-pages.wsl.ch/ckanext-passwordless_api/
Source Code: https://gitlabext.wsl.ch/EnviDat/ckanext-passwordless_api
This plugin is primarily intended for custom frontends built on the CKAN API.
By using API tokens from CKAN core (>2.9), this plugin provides an authentication flow where:
- Users receive a login token via email (via reset key in core).
- API token is returned on valid login token (reset key) submission.
- The API token should then be included in Authorization headers from the frontend --> CKAN calls.
Based on work by @espona (Lucia Espona Pernas) for ckanext-passwordless (https://github.com/EnviDat/ckanext-passwordless).
Config
Optional variables can be set in your ckan.ini:
- passwordless_api.guidelines_url Description: A link to your website guidelines. Default: None, not included.
- passwordless_api.policies_url Description: A link to your website policies. Default: None, not included.
- passwordless_api.welcome_template Description: Path to welcome template to render as html email. Default: uses default template.
- passwordless_api.reset_key_template Description: Path to reset key template to render as html email Default: uses default template.
- passwordless_api.cookie_name
Description: Set to place the API token in a cookie, with given name.
The cookie will default to
secure
,httpOnly
,samesite: Lax
. Default: None, no cookie used. - passwordless_api.cookie_domain Description: The domain for samesite to respect, required if cookie set. Default: None.
- passwordless_api.cookie_samesite
Description: To change the cookie samesite value to
Strict
. Only enable this if you know what you are doing. Default: None, samesite value is set toLax
. - passwordless_api.cookie_http_only Description: Use a httpOnly cookie, recommended. Default: true.
Endpoints
POST
- <CKAN_HOST>/api/3/action/passwordless_request_reset_key
- Description: Request a login token for a given email.
- Creates user if they do not exist & sends welcome email.
- Param1: email (str).
- <CKAN_HOST>/api/3/action/passwordless_request_api_token
- Description: Request an API token, given the email and login token (reset_key).
- Param1: email (str).
- Param2: key (str).
- <CKAN_HOST>/api/3/action/passwordless_revoke_api_token
- Description: Revoke an API token.
- Param1: token (str).
GET
- <CKAN_HOST>/api/3/action/passwordless_get_user
- Description: Get user details, given their API token. Also resets and returns a new API token (i.e. renewal).
Notes
- It is also recommended to disable access to the API via cookie, to help prevent CSRF:
ckan.auth.disable_cookie_auth_in_api = true
- The configuration for API tokens can be configured in core:
api_token.nbytes = 60
api_token.jwt.decode.secret = string:YOUR_SUPER_SECRET_STRING
api_token.jwt.algorithm = HS256
# expire_api_token plugin (unit = 1 day in seconds, lifetime = 3 days)
expire_api_token.default_lifetime = 3
expire_api_token.default_unit = 86400
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Close
Hashes for ckanext-passwordless-api-0.2.2.tar.gz
Algorithm | Hash digest | |
---|---|---|
SHA256 | abdebe36c990add5814e79fda8e4456fa57e8c958c55f52b4d024193acf1d195 |
|
MD5 | 5e64ee8b9013423c8ac748b4c787f8ba |
|
BLAKE2b-256 | 26b36ea01d7556d6f43e96e4cf6bb1ce17b6712157af4130042bfd458bb56650 |
Close
Hashes for ckanext_passwordless_api-0.2.2-py3-none-any.whl
Algorithm | Hash digest | |
---|---|---|
SHA256 | b934372d9a262e3b80715754e497eab491942bbff6375a1d29d39c6e28ca0c88 |
|
MD5 | a2cf88aa69847fc46fc56517580da752 |
|
BLAKE2b-256 | 64a5019e58b73279cd17dd0f5fa8dc46939d2fc3e94dcb317a0607da075b951f |