Hacker News new | past | comments | ask | show | jobs | submit login

>API Token authentication

Could you give some pointers/links about how this is done?

I have used REST internally with no authentication. But I am not sure how these can be exposed to outside in a secure manner.




If you wanted to restrict all API access to only logged-in users (to your Django app), it would be as easy as this:

  from tastypie.authorization import DjangoAuthorization
and then in your 'Meta' class for each resource, you'd specify the following:

  authorization = DjangoAuthorization()
That's step one. To go further, and limit access to resources per user, so that they can only access the things they should have access to (according to Django permissions), you'd simply use 'apply_authorization_limits' to narrow the query object to what the user should have access to. So, if your default query looks like

  queryset = Resource.objects.all()
You could filter that down in your apply_authorization_limits method to something like this:

  def apply_authorization_limits(self, request, object_list):
    object_list.filter(user=request.user)




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: