<div class="socmaildefaultfont" dir="ltr" style="font-family:Arial;font-size:10.5pt" ><div dir="ltr" style="font-family:Arial;font-size:10.5pt" ><div dir="ltr" >This is all cool. So when you talk about wok being the base web framework where it provides basic services <span style="font-family: Arial;" >like login, logout, plugin support, i18n etc.</span> to plugin developers do you think adding 'auth' as another service provided by wok to plugin developers makes any sense?</div>
<div dir="ltr" > </div>
<div dir="ltr" >Like you mentioned on IRC during scrum meeting, someone might even write a wok plugin for makeup tips and you are totally fine with it. Do you think if we provide an easy way for that developer to authenticate his/her plugin's users quickly and easily? Something other python web frameworks like flask already provide (<a href="http://flask.pocoo.org/snippets/category/authentication/" >http://flask.pocoo.org/snippets/category/authentication/</a>), or even cherrypy for that matter (<a href="http://tools.cherrypy.org/wiki/AuthenticationAndAccessRestrictions" >http://tools.cherrypy.org/wiki/AuthenticationAndAccessRestrictions</a>). They provide nice decorators which plugin developers can use in their handlers (exposed in the language of cherrypy) methods. </div>
<div dir="ltr" > </div>
<div dir="ltr" >We could provide a nice wrapper around those ideas for authentication using say, PAM, NIS+, LDAP etc. </div>
<div dir="ltr" > </div>
<div dir="ltr" > </div>
<div dir="ltr" >What do you say? </div>
<div dir="ltr" > </div>
<blockquote data-history-content-modified="1" dir="ltr" style="border-left:solid #aaaaaa 2px; margin-left:5px; padding-left:5px; direction:ltr" >----- Original message -----<br>From: Aline Manera <alinefm@linux.vnet.ibm.com><br>To: luciojhc@linux.vnet.ibm.com, Harshal Patil/India/IBM@IBMIN, kimchi-devel@ovirt.org<br>Cc:<br>Subject: Re: [Kimchi-devel] adding '/auth' for authentication<br>Date: Thu, Aug 6, 2015 6:27 PM<br>
<div><br><font face="Default Monospace,Courier New,Courier,monospace" size="2" >On 05/08/2015 18:02, Lucio Correia wrote:<br>> On 08/05/2015 04:27 PM, Aline Manera wrote:<br>>><br>>><br>>> On 05/08/2015 14:56, Lucio Correia wrote:<br>>>> Hi Harshal,<br>>>><br>>>> On 08/02/2015 01:45 PM, Harshal Patil wrote:<br>>>>> Hi,<br>>>>> In the 'wok' branch there isn't anything to detect if the session has<br>>>>> timed out on the browser side. On the other hand, on master (kimchi)<br>>>>> there is '/vms' endpoint called every 5 seconds which kinda takes care<br>>>>> of making sure the user is indeed logged in.<br>>>>> So I was wondering, if no one is already working on it, to introduce a<br>>>>> '/auth' endpoint which we can poll every 5 seconds using ajax and<br>>>>> based<br>>>>> on the response status code we can either redirect to login page or<br>>>>> just<br>>>>> stay on the same page. This is useful in 'wok' because there isn't any<br>>>>> '/vms' endpoint which existed in master (kimchi) by default.<br>>>>> I can submit a patch for review if this sounds good so far. Also, if<br>>>>> there is a better way of doing it, I would love to hear about it.<br>>>>> Harshal<br>>>>><br>>>>><br>>>><br>>>> The 10-minutes time out is still working with wok branch. But it is<br>>>> only verified if you leave it in "Host" or "Guests" tab. Other tabs'<br>>>> APIs don't send "wok-robot" in headers.<br>>>><br>>>> Your proposal is good, you will need to send "wok-robot" in '/auth'<br>>>> headers, and remove the "wok-robot" from kimchi plugin's Host and<br>>>> Guests API headers.<br>>><br>>> Why do you need a API /auth to check the user is logged? Shouldn't the<br>>> "wok-robot" header be enough to do that?<br>>> Otherwise, we will increase significantly the number of the requests, as<br>>> the real request would be send after a /auth request.<br>>><br>><br>> Good point Aline, we really don't need /auth. If we want timeout<br>> checked for every request, I see two alternatives:<br>> * drop wok-robot verification from check_auth_session() in<br>> src/wok/auth.py.<br>> * add wok-robot headers to requestJSON() in wok.api.js.<br><br>I prefer the second alternative. The 'wok-robot' header was created to<br>distinguish AJAX requests from user requests.<br><br>><br>> But I don't know why currently only hosts and guests tab use wok-robot.<br>><br><br>Because only those tabs have logic to pool the request every X seconds.<br>In fact, we need to add this to every tab to keep consistence and<br>automatically logout user when session expires.</font></div></blockquote>
<div dir="ltr" > </div></div></div><BR>