authentication token issue EVE

问题

Hi I am using the eve token authentication (http://python-eve.org/tutorials/account_management.html#accounts-with-token-authentication) but am stuck with a 401 message.

---

class RolesAuth(TokenAuth):
    def check_auth(self, token,  allowed_roles, resource, method):
        users = app.data.driver.db['users']
        lookup = {'token': token}
        if allowed_roles:
            lookup['roles'] = {'$in': allowed_roles}
        user = users.find_one(lookup)
        return user

if __name__ == '__main__':
    app = Eve(auth=RolesAuth)
    app.run()

---

I am using username test and password 1234 > this results in base64 encoded; dGVzdDoxMjM0

When I use cURL

---

curl -X "GET" "http://api.domain.com:5000/people/obama" -H "Authorization: Basic dGVzdDoxMjM0" 

this is resulting in the 401

{"_status": "ERR", "_error": {"message": "Please provide proper credentials", "code": 401}}

---

I checked mongodb and the token is there

{
    "_id" : ObjectId("551004d6714e7a5fec0729e3"),
    "username" : "test",
    "_updated" : ISODate("2015-03-23T12:19:34.000Z"),
    "roles" : [ 
        "admin", 
        "superuser"
    ],
    "token" : "dGVzdDoxMjM0",
    "_created" : ISODate("2015-03-23T12:19:34.000Z"),
    "password" : "1234",
    "_etag" : "96b41717630a49bca41b89f971cc3b8bd8d518a3"
}

---

Is there something wrong with the cURL command?

回答1:

There a few things wrong with your code:

1. You are sending username and password with you Authorization header while your RolesAuth class is performing lookups on token. Try passing an encoded token instead.
2. You stored the base64 encoded token in Mongo but you probably want to store the clean token instead, as the check_auth method will receive a decoded value as token argument (or you have to encode it again before performing the lookup).
3. You really really don't want to store the clean password in the database. These should be hashed/salted.

回答2:

You have to encode in base64 you token before send it and in mongodb not encoded.

When Eve recived the token its decoded and then compare it with the db.

if you send:

curl -X "GET" "http://api.domain.com:5000/people/obama" -H "Authorization: Basic dGVzdDoxMjM0" 

In the db has to be stored:

"token" : "1234",

Moreover you have to encoded token + : For example if your token value in db is "1234" you have to encode and send "1234:"

来源：https://stackoverflow.com/questions/29213069/authentication-token-issue-eve