Web2py Authentication for Restful service and also application users

Question

In web2py we can have restful services as mentioned below,

auth.settings.allow_basic_login = True

@auth.requires_login()
@request.restful()
def api():
   def GET(s):
       return 'access granted, you said %s' % s
   return locals()

This service will be called by external system. Now how to define two level of service usage. One user who can access the service(external system). After accessing, external system will display relevant data to end user using a webapp. Further, end users who will use the external system requires login, that I am storing in auth related tables. In other words: End users are registered and log-in using external java based webapp. That app will call our web2py as restful. If we use '@auth.requires_login()' decorator, does it authenticate API calling system or end users. It was also mentioned that api calling system can call as

curl --user name:password http://127.0.0.1:8000/myapp/default/api/hello

That means external system will pass user and password each time it calls web2py APIs. Even if it does, how do end user login tokens which will also be checked/send.

I would really appreciate with someone can answer this.

Answer 1

Basically you want two types of authentication for a web2py Restfull service. This could be achieved using a more general auth.requires decorator,

@auth.requires(custom_auth, requires_login=False)

where custom custom_auth is a function defined in models,

def custom_auth():
     """Just a prototype that needs to be extended"""
     web2py_login = auth.user is not None
     other_login  = # do some other checks from a third party system
     return  web2py_login or other_login

Note that that basic authentication is not secure, and should be avoided when possible in production. Use a token based authentification instead.