From tkadm30 at yandex.com Mon Oct 10 10:30:27 2016 From: tkadm30 at yandex.com (Etienne Robillard) Date: Mon, 10 Oct 2016 10:30:27 -0400 Subject: [Web-SIG] How to make REMOTE_USER variable private across WSGI middlewares? Message-ID: <4871a061-a29f-f570-3c3e-ae7f06ddef43@yandex.com> Hi, I'm attempting to develop a OAuth 2.0 authentication middleware which sets REMOTE_USER variable into the WSGI environ object, however I'm unable to make this variable unique for the logged user. Is it recommended to use threading.local or gevent to make the WSGI environment persisting on a per-request basis ? What others options can you advise to make private request data not accessible in WSGI ? Thanks in advance, Etienne -- Etienne Robillard tkadm30 at yandex.com http://www.isotopesoftware.ca/ From tkadm30 at yandex.com Tue Oct 11 18:47:32 2016 From: tkadm30 at yandex.com (Etienne Robillard) Date: Tue, 11 Oct 2016 18:47:32 -0400 Subject: [Web-SIG] How to make REMOTE_USER variable private across WSGI middlewares? In-Reply-To: <4871a061-a29f-f570-3c3e-ae7f06ddef43@yandex.com> References: <4871a061-a29f-f570-3c3e-ae7f06ddef43@yandex.com> Message-ID: Here's the source code: https://bitbucket.org/tkadm30/django-hotsauce/src/6a862e22e045cb10a84f3b08e4c237ed592ecec7/lib/notmm/controllers/wsgi.pyx A live demo is here: http://www.isotopesoftware.ca/ The problem is in the init_request method. The current implementation uses threading.local. I have no idea how to make the WSGI environ object a thread-local in case the remote user has been logged in. Any input would be greatly appreciated. Regards, Etienne Le 2016-10-10 ? 10:30, Etienne Robillard a ?crit : > Hi, > > I'm attempting to develop a OAuth 2.0 authentication middleware which > sets REMOTE_USER variable into the WSGI environ object, however I'm > unable to make this variable unique for the logged user. > > Is it recommended to use threading.local or gevent to make the WSGI > environment persisting on a per-request basis ? > > What others options can you advise to make private request data not > accessible in WSGI ? > > Thanks in advance, > > Etienne > > -- Etienne Robillard tkadm30 at yandex.com http://www.isotopesoftware.ca/ From randy at thesyrings.us Tue Oct 11 19:44:56 2016 From: randy at thesyrings.us (Randy Syring) Date: Tue, 11 Oct 2016 19:44:56 -0400 Subject: [Web-SIG] How to make REMOTE_USER variable private across WSGI middlewares? In-Reply-To: References: <4871a061-a29f-f570-3c3e-ae7f06ddef43@yandex.com> Message-ID: I think this is not the best mailing list to ask a question like this. You are probably better served to ask on Stack Overflow or some other place with more activity. For what it's worth, I also think you might misunderstand how WSGI works. I believe the environment object is supposed to exist in a request context. I'm assuming you only need one user per request, so simply filling in the value of REMOTE_USER seems to me like it should work. However, I haven't looked at your code or thought long about the problem, it's just an off-handed observation based on your description below. *Randy Syring* Husband | Father | Redeemed Sinner /"For what does it profit a man to gain the whole world and forfeit his soul?" (Mark 8:36 ESV)/ On 10/11/2016 06:47 PM, Etienne Robillard wrote: > Here's the source code: > https://bitbucket.org/tkadm30/django-hotsauce/src/6a862e22e045cb10a84f3b08e4c237ed592ecec7/lib/notmm/controllers/wsgi.pyx > > A live demo is here: http://www.isotopesoftware.ca/ > > The problem is in the init_request method. > > The current implementation uses threading.local. > > I have no idea how to make the WSGI environ object a thread-local in > case the remote user has been logged in. > > > Any input would be greatly appreciated. > > Regards, > > Etienne > > > Le 2016-10-10 ? 10:30, Etienne Robillard a ?crit : >> Hi, >> >> I'm attempting to develop a OAuth 2.0 authentication middleware which >> sets REMOTE_USER variable into the WSGI environ object, however I'm >> unable to make this variable unique for the logged user. >> >> Is it recommended to use threading.local or gevent to make the WSGI >> environment persisting on a per-request basis ? >> >> What others options can you advise to make private request data not >> accessible in WSGI ? >> >> Thanks in advance, >> >> Etienne >> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: From tkadm30 at yandex.com Wed Oct 12 05:42:15 2016 From: tkadm30 at yandex.com (Etienne Robillard) Date: Wed, 12 Oct 2016 05:42:15 -0400 Subject: [Web-SIG] How to make REMOTE_USER variable private across WSGI middlewares? In-Reply-To: References: <4871a061-a29f-f570-3c3e-ae7f06ddef43@yandex.com> Message-ID: Hi Randy, Thanks for your comment. Le 2016-10-11 ? 19:44, Randy Syring a ?crit : > > For what it's worth, I also think you might misunderstand how WSGI > works. I believe the environment object is supposed to exist in a > request context. I'm assuming you only need one user per request, so > simply filling in the value of REMOTE_USER seems to me like it should > work. However, I haven't looked at your code or thought long about > the problem, it's just an off-handed observation based on your > description below. > I believe the OAuth2 middleware and client is functioning correctly and is setting the REMOTE_USER value as expected. But I guess the problem is because I recreate a new WebOb request object before returning a WSGI response. Also, I need to update the WSGI environment for each request in order to preserve the value of REMOTE_USER. However, i don't know if it's logical to recreate a WSGI request every time. Perhaps the solution would be to use a global request object... Regards, Etienne -- Etienne Robillard tkadm30 at yandex.com http://www.isotopesoftware.ca/ -------------- next part -------------- An HTML attachment was scrubbed... URL: