aiohttp-security/docs/usage.rst

50 lines
1.4 KiB
ReStructuredText
Raw Normal View History

2015-11-08 02:47:19 +00:00
.. _aiohttp-security-usage:
=======
Usage
=======
.. currentmodule:: aiohttp_security
.. highlight:: python
2015-11-18 10:07:42 +00:00
2015-11-26 12:09:01 +00:00
First of all, what is *aiohttp_security* about?
It is a set of public API functions and standard for implementation details.
Public API
==========
2015-11-26 12:09:01 +00:00
API is implementation agnostic, all client code should not call policy
code (see below) directly but use API only.
2015-11-18 10:07:42 +00:00
Via API application can remember/forget user in local session
(:func:`remember`/:func:`forget`), retrieve :term:`userid`
(:func:`authorized_userid`) and check :term:`permission` for
remembered user (:func:`permits`).
2015-11-08 02:47:19 +00:00
2015-11-26 12:09:01 +00:00
The library internals are built on top of two policies:
:term:`authentication` and :term:`authorization`. There are abstract
base classes for both concepts as well as several implementations
shipped with the library. End user is free to build own implemetations
if needed.
2015-11-08 02:47:19 +00:00
Authentication
==============
Actions related to retrieving, storing and removing user's
:term:`identity`.
Authenticated user has no access rights, the system even has no
knowledge is there the user still registered in DB.
2015-11-18 10:07:42 +00:00
If :class:`aiohttp.web.Request` has an :term:`identity` it means the user has
2015-11-08 02:47:19 +00:00
some ID that should be checked by :term:`authorization` policy.
:term:`identity` is a string shared between browser and server.
2015-11-08 02:47:19 +00:00
Thus it's not supposed to be database primary key, user login/email etc.
2015-10-29 08:31:24 +00:00
Random string like uuid or hash is better choice.