Backend for user authorization¶
Users (subscribers) must be pre-configured according to the Watcher structure
How it works:
- Provider implements the HTTP request handler that has the logic to authenticate subscribers.
- Provider enters the path to the Flussonic Watcher authorization backend (Settings — External authentication).
- A subscriber logs into Flussonic Watcher using login/password as per backend database.
- Watcher transfers this data to the backend in a request payload.
-
Backend checks the incoming data to make a decision on the subscriber authorization:
- If the subscriber is authorized, backend returns the 200 HTTP code.
- If the authentication data is incorrect, backend returns the 403 HTTP code.
- If the subscriber is not found, the system returns 404.
-
If the authentication backend was out of reach or was not able to respond within 2 seconds, the subscriber's credentials are verified by the Watcher’s database.
Note
If the subscriber's password in the backend database is different from Flussonic database, then the password cache in the Flussonic database is replaced with the backend password cache upon successful authorization via backend. Thus, the subscriber will be able to access the system with a single password even if backend is unavailable.
However, this leads to the fact that subscribers will not be able to change their passwords via Watcher; even if they try, the new password will not work and will be overwritten at next successful authorization via backend.
import falcon, json
class AuthResource:
def on_get(self, req, resp):
print "GET %r\n%r" % (req.uri, req.params)
login = req.params.get('login', None)
password = req.params.get('password', None)
if not login or not password:
print 'incorrect request login: %r, pass: %r' % (login, password)
resp.status = falcon.HTTP_400
return
if login == 'user0':
if password == 'letmein':
return
resp.status = falcon.HTTP_403
return
if login == 'user1':
if password == 'letmein':
return
resp.status = falcon.HTTP_403
return
resp.status = falcon.HTTP_404
app = falcon.API()
ad = AuthResource()
app.add_route('/auth', ad)
Examples¶
A user can get through:
curl -vvv http://localhost:8001/auth\?login\=user0\&password\=letmein
* Trying 127.0.0.1...
* Connected to localhost (127.0.0.1) port 8001 (#0)
> GET /auth?login=user0&password=letmein HTTP/1.1
> Host: localhost:8001
> User-Agent: curl/7.47.0
> Accept: */*
>
< HTTP/1.1 200 OK
< Server: gunicorn/19.7.0
< Date: Mon, 20 Mar 2017 10:16:21 GMT
< Connection: close
< content-length: 0
< content-type: application/json; charset=UTF-8
<
* Closing connection 0
A user can’t get through:
curl -vvv http://localhost:8001/auth\?login\=user0\&password\=wrong
* Trying 127.0.0.1...
* Connected to localhost (127.0.0.1) port 8001 (#0)
> GET /auth?login=user0&password=wrong HTTP/1.1
> Host: localhost:8001
> User-Agent: curl/7.47.0
> Accept: */*
>
< HTTP/1.1 403 Forbidden
< Server: gunicorn/19.7.0
< Date: Mon, 20 Mar 2017 10:16:27 GMT
< Connection: close
< content-length: 0
< content-type: application/json; charset=UTF-8
<
* Closing connection 0
A user is not found:
curl -vvv http://localhost:8001/auth\?login\=user10\&password\=wrong
* Trying 127.0.0.1...
* Connected to localhost (127.0.0.1) port 8001 (#0)
> GET /auth?login=user10&password=wrong HTTP/1.1
> Host: localhost:8001
> User-Agent: curl/7.47.0
> Accept: */*
>
< HTTP/1.1 404 Not Found
< Server: gunicorn/19.7.0
< Date: Mon, 20 Mar 2017 10:20:04 GMT
< Connection: close
< content-length: 0
< content-type: application/json; charset=UTF-8
<
* Closing connection 0