Temporary Django REST Framework permission-scoped token
Project description
rest_framework_tmp_scoped_token provides a Django REST Framework-compatible system to generate and validate signed authorization tokens. Generated tokens contain the ID of a user on whose behalf the token bearer authenticates, a white-list of HTTP verbs and API endpoints that the bearer is permitted to access, an max-lifespan of the token, and a note about the intended recipient.
Usage
Token
To generate a token, use the rest_framework_tmp_scoped_token.TokenManager class. The token encompasses the following information:
user: User that will be authenticated by token.
endpoints: key:value pairs of HTTP methods and endpoint roots that token is authorized to access. The following values would authorize the token to make GET requests to any endpoints that begin with ‘api/v1/foo:
{'GET': ['/api/v1/foo']}
NOTE: This this token will not override any existing permissions for its associatted User within the system. It only adds further restrictions to the endpoints that can be accessed.
max_age: How long, in seconds, the token will be valid. By default, tokens will be valid for 1 hour. Non-expiring tokens are not supported.
recipient: (Optional) A textual description of the recipient for which this token was intended. No validation is done with this data, however it is appended to the request as a X-API-Token-Recipient header by the accompanying DRF authentication scheme. This is for tracking purposes
NOTE: The tokens are signed via Django’s `signing <https://docs.djangoproject.com/en/dev/topics/signing/>`__ facility. It is important to know that the tokens are not encrypted, they are simply signed. For this reason, you should not include any sensitive/secret information in the tokens. For an example, notice how easy it is to view the contents of a signed string:
In [1]: from django.core import signing
In [2]: t = signing.dumps({'something-secret': 'hope nobody sees this'})
In [3]: print(t)
eyJzb21ldGhpbmctc2VjcmV0IjoiaG9wZSBub2JvZHkgc2VlcyB0aGlzIn0:1d47N6:woJG0EgLNDb0OjYQmCbsjniP-2Y
In [4]: import base64
In [5]: print(base64.urlsafe_b64decode(t.encode('utf8')))
b'{"something-secret":"hope nobody sees this"}5w\x8e\xcd\xeb\n\t\x1bA ,\xd0\xdb\xd0\xe8\xd8B`\x9b\xb29\xe2?\xed\x98'
Contributing
Testing
pip install -r requirements-test.txt
./runtests
Deploying
pip install -r requirements-deploy.txt
python setup.py test clean build tag publish
Project details
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Hashes for drf-tmp-scoped-token-0.2.1.tar.gz
Algorithm | Hash digest | |
---|---|---|
SHA256 | 173f9bde36928d71d41d007345e29c9d3c10feafd36e58411a056faafeb97a76 |
|
MD5 | 904348910f8c0ad6abbf7b25bb30c064 |
|
BLAKE2b-256 | b2862a03971a7b0393e014f84d26e286624e0fa7fb06ab51f9e0f7b644e2607d |
Hashes for drf_tmp_scoped_token-0.2.1-py3-none-any.whl
Algorithm | Hash digest | |
---|---|---|
SHA256 | b8b38ad127fee4844f097575d68e20a121dce7cd87176ba14dcc097a595d8ddc |
|
MD5 | bfd6045f8d1b9fcf8f96f4f4d2d5741f |
|
BLAKE2b-256 | f08f03de9b6fa34f2451bd46c66c5902ee069853f7eaee466cdffa96a7334615 |