I am trying to implement my own authentication method for AuthKit and am trying to figure out how some of the built-in methods work. In particular, I'm trying to figure out how to update the REMOTE_USER
for environ
correctly.
This is how it is handled inside of authkit.authenticate.basic
but it is pretty confusing. I cannot find anyplace where REMOTE_USER
and AUTH_TYPE
are defined. Is there something strange going on here and if so, what is it?
def __call__(self, environ, start_response):
environ['authkit.users'] = self.users
result = self.authenticate(environ)
if isinstance(result, str):
AUTH_TYPE.update(environ, 'basic')
REMOTE_USER.update(environ, result)
return self.application(environ, start_response)
There are actually a number of all uppercase things like this that I cannot find a definition for. For example, where does AUTHORIZATION
come from below:
def authenticate(self, environ):
authorization = AUTHORIZATION(environ)
if not authorization:
return self.build_authentication()
(authmeth, auth) = authorization.split(' ',1)
if 'basic' != authmeth.lower():
return self.build_authentication()
auth = auth.strip().decode('base64')
username, password = auth.split(':',1)
if self.authfunc(environ, username, password):
return username
return self.build_authentication()
I feel like maybe I am missing some special syntax handling for the environ
dict, but it is possible that there is something else really weird going on here that isn't immediately obvious to someone as new to Python as myself.
Looking at that source I see it has an (evil)
from paste.httpheaders import *
that is one way otherwise-mysterious barenames could suddenly appear in the code (which is exactly why this idiom is a very, very bad practice). I can't be sure that's how those identifiers suddenly and inexplicably materialize, but it's a possibility.