current community

your communities

more stack exchange communities

Stack Exchange
tour help
Take the 2-minute tour ×
Code Review Stack Exchange is a question and answer site for peer programmer code reviews. It's 100% free, no registration required.
up vote 5 down vote favorite

I am trying to implement a custom ApiClient in Python, using requests. The way it does authentication is by:

  1. login(username, password) -> get back a token if valid, http error code if not

  2. set the token in {'Authorization': token} header and use that header for all endpoints which need authentication

Can you check if the code looks OK, and if not what kind of changes would you recommend?

#!/usr/bin/env python

import requests
import json
import os
import sys


def read_file_contents(path):
    if os.path.exists(path):
        with open(path) as infile:
            return infile.read().strip()


class ApiClient():
    token = None
    api_url = 'http://10.0.1.194:1234'
    session = requests.Session()

    def __init__(self):
        self.token = self.load_token()

        if self.token:
            self.session.headers.update({'Authorization': self.token})
        else:
            # if no token, do login
            if not self.token:
                try:
                    self.login()
                except requests.HTTPError:
                    sys.exit('Username-password invalid')

    def load_token(self):
        return read_file_contents('token')

    def save_token(self, str):
        with open('token', 'w') as outfile:
            outfile.write(str)

    def login(self):
        email = '[email protected]'
        password = 'passwd'

        headers = {'content-type': 'application/json'}
        payload = {
            'email': email,
            'password': password
        }
        r = requests.post(self.api_url + '/auth',
                          data=json.dumps(payload),
                          headers=headers)

        # raise exception if cannot login
        r.raise_for_status()

        # save token and update session
        self.token = r.json()['session']['token']
        self.save_token(self.token)
        self.session.headers.update({'Authorization': self.token})

    def test_auth(self):
        r = self.session.get(self.api_url + '/auth/is-authenticated')
        return r.ok


if __name__ == '__main__':
    api = ApiClient()
    print api.test_auth()
share|improve this question
    
the email-password will obviously not be hard coded –  zsero Apr 8 at 16:39

1 Answer 1

up vote 3 down vote accepted

I don't have time to do a thorough review, but here are some comments based on a casual reading.

  • In read_file_contents, the function returns None if the file doesn’t exist. I’d suggest modifying this to print or return an explicit message to that effect, to make debugging easier later. For example, something like:

    def read_file_contents(path):
    try:
        with open(path) as infile:
            return infile.read().strip()
    except FileNotFoundError:
        print "Couldn't find the token file!"
        return None

    will make your life easier later.

    Also, is this meant to be open(path, 'r')?

  • New-style classes should inherit from object: that is, use

    class ApiClient(object):

    instead of 

    class ApiClient():

  • Don't copy and paste the API URL throughout your code. Make it a variable, and then pass api_url as an input to ApiClient(). That way, you can reuse this code for other APIs, or make changes to the URL in a single place. (If, for example, the API changes.)

  • Don't hard code username, email and password in the login function. It makes it harder to change them later, and it's a security risk. Consider using something like the keyring module for storing sensitive information. (Should the token be stored securely as well?)

  • The __init__ function uses the token, and also retrieves it from the file. This can cause problems if you later get the token from somewhere else. (For example, if you used keyring.) Instead, consider passing token as an argument to __init__, and having the code to obtain the token somewhere else. Something like:

    def __init__(self, api_url, token=None):
    self.api_url = api_url
    self.token = token

    if self.token is not None:
        # if you get a token
    else:
        # if you don't

    and then later:

    if __name__ == '__main__':
    api_token = read_file_contents('token')
    api_url = 'http://10.0.1.194:1234'
    api = ApiClient(api_token, api_url)
    print api.test_auth()
share|improve this answer
1  
Even better than returning None if the file is unreadable, just let the exception propagate, and catch it in __init__(). –  200_success Apr 8 at 16:49
1  
open() mode is 'r' by default. –  200_success Apr 8 at 16:50
1  
@200_success While that is true, it could be argued that this qualifies as "explicit is better than implicit". –  ebarr Apr 8 at 21:51
    
Thanks a lot, I've implemented the changes –  zsero Apr 9 at 10:23

Your Answer

 
discard

By posting your answer, you agree to the privacy policy and terms of service.

Not the answer you're looking for? Browse other questions tagged or ask your own question.