5

I have a dancer web application that is part web-site and part web-service; certain routes on my application should have auth on them.

All the auth solutions I've found for a Dancer web app require the redirection to a login page; while this is okay for interactive use, this isn't optimal for a restful web service.

Is there an auth solution that would allow for something like api keys?

Blaskovicz
  • 6,122
  • 7
  • 41
  • 50
  • 1
    I don't know much about api keys so unfortunately can't help you there. The authentication approach outlined in Dancer::Cookbook provides a simple REST like web service for authentication and storing authentication details in the dancer session. I have been successfully using a strategy like this with my REST based client / server app. A key thing to be aware of are that your clients must be able to hold onto session cookies and provide these back in the request header after authenticating. Let me know if you would like more details. – Ross Attrill Mar 13 '13 at 22:13
  • I thought that using a session / cookies violated the principles of REST... – Blaskovicz Mar 18 '13 at 03:06
  • I guess it depends on you see the principles of REST. One principle is to create stateless services and yes - using sessions violates this. However, if you see a REST principle as making pragmatic use of established internet technologies then sessions and cookies makes more sense. A similar approach suggested to me by a colleague is to pass username and password hash in the request header. You could then handle that header information in a before trigger using Dancer. This is a stateless approach that doesn't rely on cookies - but may complicate testing of authenticated services. – Ross Attrill Mar 19 '13 at 22:55

1 Answers1

2

You should have look at Dancer::Plugin::Auth::Extensible to build this. The most simple way it to send credentials in each request. On the client, you'd be calling your REST service like this:

$ua->post('http://example.com/rest/getStuff?cred=foobar1234567, $search_criteria);

If you do it like this, you could provide a cookie, but you do not have to, and the customer would not necessarily need to care about the cookie.

Edit: If you want Basic Authentication, take a look at Plack::Builder. You can use it to add the auth to certain requests.

simbabque
  • 53,749
  • 8
  • 73
  • 136
  • 1
    I spoke with the author about that module; it tries to redirect to /login form with all request (which won't work easily with restful web services). – Blaskovicz Mar 18 '13 at 02:57