通过 JSON 在 App Engine/Python/Django non-rel 上进行身份验证
我正在 Google App Engine 上构建一个网站,运行 python 和 Django non-rel。 HTML 和发布/读取数据的一切都运行良好。但随着我的前进,我希望使用 AJAX 进行许多更新,并最终也通过 Android 和 iPhone 等移动设备进行更新。
我的页面使用 django non-rel 并且我的登录/注销身份验证非常适合 HTML。但通过 JSON 发送的更新信息必须经过身份验证,用户才能进行更改。我发现仅对 AJAX 调用进行身份验证不会太困难,因为您仍在访问网站,但是如果加入手机身份验证呢?
所以我对此很陌生,我该从哪里开始呢?
如何在 gae 上设置服务以便可以执行经过身份验证的 CRUD 操作?理想情况下,我想对 ajax、android 等使用完全相同的 REST 服务。
I'm building a site on Google App Engine, running python and Django non-rel. Everything is working great for HTML and posting/reading data. But as I'm moving forward I'd like to do many of the updates with AJAX, and eventually also over mobile devices like Android and iPhone.
My pages use django non-rel and my login/logout authentication works great for the HTML. But update information sent over JSON would have to be authenticated that the user can make the changes. I see how doing authentication for just AJAX calls wouldn't be too difficult since your still hitting the website, but what about when throwing in mobile phone authentication?
So I'm new to this, where do I start?
How can I set up services on gae so I can do authenticated CRUD operations? Ideally I'd like to use the exact same REST services for ajax, android, etc.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
Python 使这变得非常简单,您只需创建一个检查身份验证的装饰器方法并将装饰器添加到任何需要身份验证凭据的方法即可。
请注意,这假设了一些有关如何获取用户数据等的事情,但原则与任何设置都是相同的。您可能正在思考的概念是,ajax 调用在服务器上的处理方式有所不同,但就像任何宁静的方法一样,您实际上得到的是相同的标头。如果您可以检查标准 html 请求的身份验证,您实际上可以使用 ajax 请求劫持表单提交并获得相同的结果。您可能想要返回 JSON 或者一小段 HTML,为此您需要:
添加一些您可以在请求中检查的内容,以了解它是一个 ajax 请求并进行相应调整。
专门实现RPC 模型来处理 ajax 请求。
要实际处理身份验证,您可以使用 google.appengine.ext users 库并使用谷歌帐户身份验证,或者您可以编写自己的帐户。 自己编写当然意味着实现会话机制(用于在整个用户会话中保留状态)并将密码存储在散列和加盐中状态进行验证。
Python makes this pretty easy, you can just create a decorator method of checking the auth and add the decorator to any method requiring auth credentials.
Mind you, this assumes a few things about how you are grabbing user data and such but the principal is the same with any setup. The notion you may be laboring under is that ajax calls are handled somehow differently on the server, but just like any restful method you are really getting the same headers. If you can check the authentication on the standard html request you can quite literally hijack the form submission with an ajax request and get the same result back. You may want to get JSON back instead or a smaller piece of HTML and for that you want to either:
Add something you can check in the request to know that it is an ajax request and adjust accordingly.
Implement an RPC Model for handling ajax requests specifically.
For actually handling authentication you can use the google.appengine.ext users library and ride on the google accounts auth or you can write your own. Writing your own of course means implementing a session mechanism (for retaining state across the user session) and storing the passwords in a hashed and salted state for verification.