{ "info": { "author": "Christian Hess", "author_email": "christianhess.rlz@gmail.com", "bugtrack_url": null, "classifiers": [ "Programming Language :: Python", "Programming Language :: Python :: 2.7", "Programming Language :: Python :: 3.5" ], "description": "# Shuup API Permissions\n\nShuup module that adds more control over REST API access using JWT.\n\nBy using this module, all API requests should have a valid JWT, even when user is anonymous. The unique exception is the endpoint to acquire the JWT.\n\nThis way, only users which know the API key and secret can submit requests.\n\nEach API key can have permissions configured for anonymous users and also for group of users (known as Permission Groups in Shuup) separately.\n\n## Installation\n\n`pip install shuup-api-permission`\n\n## Configuration\n\nIn Django settings:\n\n1. Add `shuup_api_permission` to `INSTALLED_APPS`.\n2. Add `shuup_api_permission.middleware.ShuupAPIPermissionMiddleware` to `MIDDLEWARE_CLASSES`, the order doesn't matter.\n3. Change `DEFAULT_AUTHENTICATION_CLASSES` to contain only `shuup_api_permission.authentication.APITokenAuthentication`. You can add other authentication classes if you prefer.\n4. Change to `DEFAULT_PERMISSION_CLASSES` to:\n```py\n'DEFAULT_PERMISSION_CLASSES': (\n 'shuup_api_permission.permissions.APIAccessPermission',\n 'shuup_api_permission.permissions.APIScopePermission'\n)\n```\n5. Add a custom JWT payload handler in `JWT_AUTH`:\n```py\nJWT_AUTH = {\n 'JWT_PAYLOAD_HANDLER': 'shuup_api_permission.utils.jwt_payload_handler'\n }\n```\n\nDone.\n\n# Using\n\n### Creating API keys\n\nAfter the configuration, you can create API keys to access Shuup APIs.\n\nEnter in Shuup admin and go to menu **Settings** > **API Access** (in Other settings sub-menu).\n\nCreate a new API Access. Give a name like *Mobile App*. Here you can configure the permissions for anoymous users for each API endpoint and action:\n\n![Creating API Access](docs/admin1.jpg)\n\nIn *Basic details* section, you can set whether the API Key is active or not. After disabling, the API key will no longer work, it means, all requests using that key will raise error.\n\nYou can also add permissions for user groups in **API permission groups** option. You should first create the permission scheme for a set of user groups. You can select existing ones or create a brand new right on the field \"**+**\" widget button. To manage these schemes, you can always access the menu **Settings** > **API Permissions**.\n\nThe basic information for this scheme (aka API Permission Group) is a name to identify the scheme, the list of user groups that will receive the permissions and, of course, the permissions set:\n\n![Creating API Permission Group](docs/admin2.jpg)\n\n![Creating API Permission Group](docs/admin3.jpg)\n\nAll authenticated users within those groups will have access to those permissions.\n\n### Making requests\n\nAfter created an API key with permissions set, it is time to use it.\n\nFirst of all, create a request to obtain a JWT, the default endpoint is `/api/auth/` (considering your API url prefix is `api`. You can change this url (take a look at our [settings](shuup_api_permission/settings.py)).\n\nFor anonymous users:\n```\nPOST /api/auth/ api_key=MY_KEY api_secret=MY_SECRET\n```\n\nFor authenticated users:\n```\nPOST /api/auth/ api_key=MY_KEY api_secret=MY_SECRET username=myuser password=qwerty\n```\n\nThe response will contain a JWT that should be used in all subsequent API requests in the *Authorization* header.\n\n```\nGET /api/shuup/attributes/ Authorization:\"JWT my-token-goes-here\"\n```\n\n# Knwon Issues\n- After changing permissions of an API Key, be anonymous permission or not, they won't be take effect for those users which acquired tokens before the change. It is a design decision. It is fastest to keep the user permissions inside the JWT that fetching them each time user makes a request. Thus, a token refresh solves the issue as the new token will have all the updated permission. So be careful when configuring the permissions and setting a good token refresh rate.\n\n# TODOs\n\n- [ ] Limit API keys by shop - keys can only be used for specific shops.\n- [ ] Invalidate tokens with outdated permissions to prevent security flaws.\n\n# License\n\nMIT\n", "description_content_type": null, "docs_url": null, "download_url": "", "downloads": { "last_day": -1, "last_month": -1, "last_week": -1 }, "home_page": "https://github.com/chessbr/shuup-api-permission", "keywords": "", "license": "MIT", "maintainer": "", "maintainer_email": "", "name": "shuup-api-permission", "package_url": "https://pypi.org/project/shuup-api-permission/", "platform": "", "project_url": "https://pypi.org/project/shuup-api-permission/", "project_urls": { "Homepage": "https://github.com/chessbr/shuup-api-permission" }, "release_url": "https://pypi.org/project/shuup-api-permission/0.1.3/", "requires_dist": null, "requires_python": "", "summary": "Shuup API Permission", "version": "0.1.3" }, "last_serial": 3628378, "releases": { "0.1.1": [ { "comment_text": "", "digests": { "md5": "f703b7ad10fd41580bd383055ce8036a", "sha256": "c99ffe844602d2abf08a9d2855a55ec445c4fdf171e9ce82b64053aef22da90e" }, "downloads": -1, "filename": "shuup-api-permission-0.1.1.tar.gz", "has_sig": false, "md5_digest": "f703b7ad10fd41580bd383055ce8036a", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 16550, "upload_time": "2018-01-13T19:31:09", "url": "https://files.pythonhosted.org/packages/88/17/a8222abb23446d25197c71447b57440fa656721047ed9e71ceba5c4beb50/shuup-api-permission-0.1.1.tar.gz" } ], "0.1.2": [ { "comment_text": "", "digests": { "md5": "658e9b75d8b1b4c955369f50feca3bff", "sha256": "3e57ea20af23f91406cc8b6b61e7123fffc8b80cc658aabd813077c1532ce5b5" }, "downloads": -1, "filename": "shuup-api-permission-0.1.2.tar.gz", "has_sig": false, "md5_digest": "658e9b75d8b1b4c955369f50feca3bff", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 17975, "upload_time": "2018-03-01T11:58:15", "url": "https://files.pythonhosted.org/packages/de/60/cef47f59183b591bb647084d918dfc658bc6d28489db6190d1850cb28657/shuup-api-permission-0.1.2.tar.gz" } ], "0.1.3": [ { "comment_text": "", "digests": { "md5": "618a3da043eb42251d89dc4d7b07cd83", "sha256": "1a0128e2659a93838d159bfdcb339e43d761dff008f80ccb544126986a8a68af" }, "downloads": -1, "filename": "shuup-api-permission-0.1.3.tar.gz", "has_sig": false, "md5_digest": "618a3da043eb42251d89dc4d7b07cd83", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 17976, "upload_time": "2018-03-01T12:11:47", "url": "https://files.pythonhosted.org/packages/9a/14/c1b978d2745c36d528be5657736640f8c7f3e3ef360fa9c3e80238a16f22/shuup-api-permission-0.1.3.tar.gz" } ] }, "urls": [ { "comment_text": "", "digests": { "md5": "618a3da043eb42251d89dc4d7b07cd83", "sha256": "1a0128e2659a93838d159bfdcb339e43d761dff008f80ccb544126986a8a68af" }, "downloads": -1, "filename": "shuup-api-permission-0.1.3.tar.gz", "has_sig": false, "md5_digest": "618a3da043eb42251d89dc4d7b07cd83", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 17976, "upload_time": "2018-03-01T12:11:47", "url": "https://files.pythonhosted.org/packages/9a/14/c1b978d2745c36d528be5657736640f8c7f3e3ef360fa9c3e80238a16f22/shuup-api-permission-0.1.3.tar.gz" } ] }