Derek Stegelman

Who's in my Data?

As a part of our projects at OME we like to develop APIs and keep access to our public data as easy as possible. Recently we've wanted to open up some of our APIs to allow others to add and modify that data. From the start we picked up django-piston to roll our APIs and have had great success. As we desire to open up that data and allow create/update/delete access, we needed an authentication solution.

Authentication

Django-Piston comes with HTTP authentication out of the box, but we wanted a bit more control in terms of keeping track of API usage. Instead of using this authentication method we created a django app that we can use to issue API keys and keep track of their usage. While still in its infancy, this tool will be used to manage and authenticate users to our APIs.

Installation

We've compiled the app as a pip installable app, so to install simply:

pip install git+git://github.com/kstateome/api-management.git

Usage

Method Helpers

key_exists(dictionary) - Checks for a key. Returns true if key exists or false is not

dictionary is {'key': key}

key_check(dictionary) - Makes sure key is correct. If key is valid returns True Example

attrs = self.flattendict(request.PUT) keydict = {'key': request.GET.get('key')} if keyexists(keydict) == False: return keyrequirederror() if keycheck(keydict): try: audience = Audience.objects.active().get(pk=audienceid) except Audience.DoesNotExist: return rc.NOTFOUND audience.name = attrs['name'] audience.save() loguse(request.GET.get('key'), 'Audience', audience.id, 'updated') return audience else: return keyincorrect_error()

Logging Helper

log_use(key, object being manipulated as string, id of object, action as string)

Example

log_use(request.GET.get('key'), 'Audience', audience.id, 'updated') Error Reporting

keyrequirederror()

  • Error for api required

def keyincorrecterror()

  • Error for api incorrect.
CSRF Protection

Django comes with built in CSRF protection for all POST requests. Because of this by default POST HTTP headers will be rejected for not containing a valid CSRF token. In order to bypass this, API-Management has a helper method to use instead of the default django-piston resource.

Method

CsrfExemptResource(Resource) Example

CsrfExemptResource(ScholarshipsHandler) Documentation

I haven't gotten the docs fully written yet but there is some info along with the repo at https://github.com/kstateome/api-management. I will be working on the docs and getting them up as soon as possible. Any suggestions or contributions on our github page are more than welcome.