Sending usernames and

passwords in plain text across the wire isn't the best solution?

I know I don't feel safe doing it and I'm sure you don't either.

So let's give our users a safer way of sending most of their requests

by creating a signed token that they can give back to us

to prove they are who they said they are.

So, I think before we start on tokens,

I wanna make sure that I can still get a list of courses.

So let's run the app.

Okay, cool.

And if I come over here, and I do a get on, users won't work.

So we'll do one on courses.

Send that, we get no courses, of course.

Let's try to post one.

Let's dump all of these.

We'll send the new one here, we'll say that title

is Django Basics and we'll say the URL is

https://teamtreehouse.com/library/django-- basics.

Can you tell which things I know the location of the best?

All right so let's try to post that.

And we get back nothing, right?

It didn't actually work.

It didn't go anywhere.

We get back to 200 okay.

Which is kind of funny.

That we get back to 200 okay.

It should not have done anything.

If I was to do a get on this.

I should see nothing.

Okay.

So what if we go ahead and send it through some auth.

So let's do basic auth.

User name is Kenneth Love.

Password is password like we said before and I'll send that.

And now notice I get back actual data, so that's pretty cool.

I don't get this unauthorized thing.

But it didn't let me do anything.

Nothing came through.

For doing tokens you might be expecting that we need to install

another package and all this stuff.

But we actually don't need one.

Flask has a dependency called it's dangerous.

Which does all of the token work for me.

These tokens are actually known as JSON web tokens.

I'm gonna link to a really great breakdown of them in the teacher's notes.

And also of course the docs for it's dangerous.

Before I generate the tokens, though, I want to set up the token auth.

So I'm gonna add all of that into auth.py.

We've gotta add two more imports here.

We're gonna import HTTPTokenAuth, and we're going to import MultiAuth.

So just like with basic Auth, we're gonna do token_auth = HTTPTokenAuth.

And I'm gonna to enter a scheme here that's going to be called token.

Schemes are kind of like domains, areas where a thing is appropriate or applies.

When we're doing this basic off, if you were to look at, sorry not there,

headers you would see this authorization thing here has the basic.

That's the realm or the scheme is basic.

So for us we're going to call it token.

And then we're going to make instead of basic off here,

we're going to do multi off.

And we're going to this is made up of token off and basic off.

Kind of the reverse of the location thing for the APIs multi off looks

at the first thing first so it tries token off first and then it tries basic off.

And if you don't want to use token you can leave this blank and

I do believe it defaults to bearer and then there's others you can set that,

maybe a certain client expects a certain thing, okay.

So when I have both types of off I want to have that all set up.

Now I do you have to tell the token off

how to verify a token just like I had to tell basic off how to verify password.

So let me write that function real quick.

So, token_auth.verify_token,

verify_token, and we're gonna get a token.

So user = models.User.verify_auth_token, and we're gonna pass in the token.

If user is not none, so if we get back a user and

it's not none then g.user= user and we gonna return true.

Otherwise we're gonna return false.

Sorry you probably thought that function was going to be more interesting.

It is actually pretty interesting though we have to go add this verify

off token though to actually make it interesting.

So let's hop over here to our models.py.

And this is where we're gonna create this new method.

So first of all up here.

We have to add from it's dangerous.

And we're gonna import a couple of things here.

We're gonna import TimedJSONWebSignatureSerializer, and

we're going to call that Serializer, because I do not want to type that.

And then we're also going to import BadSignature, and SignatureExpired.

All right, so now inside of class user which this is one of the more

interesting classes I think I've ever built here here at Treehouse,

I'm gonna add another static method down here.

And I'll add it above this one, just so that static method,

set password, and verify password can stay next to each other.

So, static method.

There is no underscore in that, there we go.

And we're going to call this verify_auth_token, and

we're gonna pass in the token.

So, serializer = Serializer, and this is where we need to

do config.SECRET_KEY, cuz remember we got our SECRET_KEY over here.

And so we're going to try, data equals serializer.loadstoken and,

with the exception of, signature.

Expired, bad signature.

We're gonna return none.

Otherwise user is equal to User.get.

User.id is equal to data id.

Cuz data's gonna have a key in it named id.

And we're gonna return that user, and

remember like here we are returning this user, and if we look over here this is

going to get a user so that user ends up being right there.

Otherwise we are returning none, because right here we return none.

That's why we check against none.

So now we actually need to make the token.

So this is pretty straight forward.

Thankfully I'm gonna put this one down here,

because it has to deal with a particular user.

So, we'll say generate_auth_token.

Self, and then when it should expire.

By default I'm gonna set it to 3600 seconds.

So, one hour.

So, this one's a timed one, you can do a non timed one or you can make your

expiration super huge, like it expires in a month or a year or something like that.

So, serializer = Serializer(SECRET_KEY),

which should come from config, and

expires_in is equal to this expires argument.

And we're going to return serializer.dumps, and

we're gonna set the key of id to the id of the user that this being called on.

So this is pretty similar to the verification method,

just the inverse of it.

Or make a serialiser instance with the secret key.

I want the tokens to expire all that and

like I said I'll link to the it's dangerous notes.

So you can see more about these serializers.

Something else to point out is that if you've used the JSON module before this

.loads and this .dump should be pretty similar, it's actually load string and

dump string so, very close to the JSON module.

Okay there's a lot to do and

I still don't have a way to actually give a user her key.

So how we do that?

I'm actually gonna do that over here in app.py.

I could do this on the user resource but I kind of want to do this in here to

show you how to add end points that aren't part of resources, but look like they are.

And also just because it feels kind of odd doing this on the user resource.

All right, so I need to import G and jsonify and then from off import off.

And then, we're gonna to make a new route down here.

So app.route, api/v1/users/token,

methods equals, I'm only gonna allow one method, which is GET.

And then this is also login_required.

And we're gonna get_auth_token and we're gonna

say the token equals g.user.generate off token.

And we're gonna turn jsonify token token.decode as ascii.

Cool.

So we have to generate the token on the user.

And we're gonna send it back as a JSON response.

Hence the JSONify.

We have to decode it into ascii first, just to make it safe to send across.

Of course we want to make this a login required.

Because we have to actually have a user to give the token to.

All right.

So, I should already be logged in from creating this.

So, I should be able to go to GET, and users/token, hit send.

And there's my token.

So that's pretty cool.

And now I can grab this.

I can go over here to authorization, say no off.

Go to headers, change this here to token and paste in my key right there.

And now, I've got my token which is cool.

And my token didn't change,

if you notice my token stayed the same here when I requested that again.

I’m still authenticated.

I'm all set up and I’m ready to do a lot more stuff.

If you give them a token that doesn't timeout,

you could provide them a key when they register their account.

Then they can just send that back every time as their authentication.

This eliminates all of the password submitting,

other than when they sign up for the first time.

But makes your token a little less secure because someone

else could get a valid token and be able to make submissions forever.

Weigh the pros and cons yourself and

pick whatever you think is the better solution for your particular project.