Teapot: Managing authentication by a third party (Fossil)

Previous Topic Next Topic
classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
Report Content as Inappropriate

Teapot: Managing authentication by a third party (Fossil)

Offray Vladimir Luna Cárdenas-2

I'm trying to make some test on a distributed wiki provided by Fossil as
a backend for storage/auth, Mustache + Material Design Lite for the
frontend and Teapot using as middleware for logic and connecting
frontend and backend. Teapot is connected with Fossil via JSON and
domain objects are stored as Fossil wiki pages. So far the experiment is
going well, but now I'm wondering about how to make authentication.

In my experiments I use the Fossil user and password to get an auth
token that is used via the Fossil's JSON API to make all the operations
that require permissions on the repository and now I wonder how this
strategy should be implemented for "real" (for the tests, I read the
password data from a local temporal file).

- There is some User Management Framework or project for Teapot or Zinc,
without going to more complex frameworks like Seaside or Aida?
- Should I have some "Sessions" object that stores logged users,
passwords and/or auth tokens inside the image and deletes them once the
user have logoff and/or on a time basis?
- Any other strategy or lite user auth framework that I have not thought ?

Any advice or experience in dealing with similar scenario is greatly



Reply | Threaded
Open this post in threaded view
Report Content as Inappropriate

Re: Teapot: Managing authentication by a third party (Fossil)

Attila Magyar
This post was updated on .
IMO it depends on how the API works. Most REST APIs are stateless and the authentication token or api key is sent in each request, there is no login/logout operation. In this case you can setup a before filter and check the authentication token in the filter. If you use normal form based login then using http sessions is the way to go. You can check the session attribute in a before filter similarly, and redirect the user to the login page if there is no session info.

Teapot on
    before: '/secure/*' -> [:req |
        req session
            attributeAt: #user
            ifAbsent: [req abort: (TeaResponse redirect location: '/loginpage')]];
    GET: '/loginpage' -> ...show login form...
    GET: '/secure' -> 'protected';

You should clean the session when the user logs out manually. As far as I know ZnServer automatically cleans up inactive sessions after a while, so there is no need to worry about periodic cleanup.