mongodb - Creating Web service for login in python with tornado -
just knowing how tornado works(i beginner python , tornado) providing service login page. have html page sends parameters {"data":{"email":"adsf","password":"asdf","type":3}} don know how parameters in tornado.
my login.py
import motor import tornado.ioloop import tornado.web import http client = motor.motorclient('localhost', 27017) db = client.yc class loginhandler(tornado.web.requesthandler): def get(self): self.check_basic_auth() do_stuff() def post(self): print("test") def options(self): print("option") self._headers['access-control-allow-origin'] = '*' self._headers['access-control-allow-headers'] = 'content-type' pprint import pprint pprint(vars(self)) if __name__ == "__main__": application = tornado.web.application([ (r"/user", loginhandler) ], db=db) application.listen(5000) tornado.ioloop.ioloop.current().start() please guide me on how parameters , verify them values in mongodb
thanks in advance
i beginner.
please read tornado's authentication , security guide thoroughly. i've adapted tornado's guide user record in mongodb:
class basehandler(tornado.web.requesthandler): def get_current_user(self): return self.get_secure_cookie("user") class mainhandler(basehandler): def get(self): if not self.current_user: self.redirect("/login") return name = tornado.escape.xhtml_escape(self.current_user) self.write("hello, " + name) class loginhandler(basehandler): def get(self): self.write('<html><body><form action="/login" method="post">' 'name: <input type="text" name="name">' 'password: <input type="password" name="password">' '<input type="submit" value="sign in">' '</form></body></html>') @gen.coroutine def post(self): # todo: salt , hash password before storing in db, salt # , hash user's input password before comparing. username = self.get_argument("name") password = self.get_argument("password") doc = yield db.accounts.find_one({"name": username, "password": password}) if doc: self.set_secure_cookie("user", username) self.redirect("/") else: # no such user or wrong password. self.redirect("/login") if __name__ == "__main__": application = tornado.web.application([ (r"/", mainhandler), (r"/login", loginhandler) ], cookie_secret='some random string') application.listen(5000) tornado.ioloop.ioloop.current().start() there's still problems code: should show user message after reloading login page, "incorrect username or password." try this flash-message code snippet.
this code insecure: passwords stored in mongodb in cleartext, can copy of database backup knows users' passwords. passwords should salted , hashed before being stored in database.
and of course, should require https secure connection users log in.
Comments
Post a Comment