This is a simple foundation for building API's using Eve with authentication.
Refer to the setup.sh
here for basic instructions for setting up mongo (as the backend for the API) and redis (to allow rate-limiting on the API). This script may not be complete and may not work for you (I primarily intend this as a guideline to memorialize some of the tips and tricks I learned while setting up an API).
A similar template without authentication can be found here: https://github.com/agenoria/eve-rest-api-template.
This example has two branches: people
and user
. By default, both branches accept GET
and POST
requests (this is defined by the line that reads: RESOURCE_METHODS = ['GET', 'POST']
in settings.py).
In terms of authentication, the request and methods are handled as follows:
Resource | Method | Authentication? |
---|---|---|
people | GET | No† |
people | POST | No† |
user | GET | Yes (from database)* |
user | POST | Yes (hardcoded)** |
† - Both GET
and POST
requests are allowed to the people
branch by line 30 settings.py.
* - GET
requests to the user
branch are authenticated against the database as defined in run.py.
** - POST
requests to the user
branch are authenticated against a hardcoded username and password as defined in run.py. This should go without saying, but putting hardcoded usernames and passwords in API authentication systems is a very bad idea. Don't do it!
Once you have the API up and running, here are some helpful queries:
GET:
curl http://127.0.0.1:5000/people
(no authentication required)
curl http://127.0.0.1:5000/user
(requires authentication)
POST:
curl -d '[{"name": "Alvaro"}]' -H 'Content-Type: application/json' http://127.0.0.1:5000/people
(no authentication required b/c POST method is one of the public methods for this branch)
curl -d '[{"username": "Alvaro", "password": "123456"}]' -u <USERNAME>:<PASSWORD> -H 'Content-Type: application/json' http://127.0.0.1:5000/user
(requires authentication by default b/c anytime we are using a class to manage authentication, all POST requests must have authentication unless declared otherwise)