如何使用repoze.who (和bottle.py)处理注销？

Question

我正在尝试让bottle.py与repoze.who一起工作，到目前为止，我使用我找到的各种示例的组合，成功地编写了以下非常简单的程序来使其工作。显然，这不是我在生产环境中运行的东西，我只是试图编写最简单的代码，这样我就可以学习如何使用它-但不幸的是，在repoze.who中使用bottle.py的教程非常少。

下面的示例工作正常，允许用户使用用户名/密码admin/admin登录。我应该如何处理repoze.who才能使logout()函数工作呢？我猜想有一个忘记函数可能就是为了这个目的，但是我不知道该如何调用它。

谢谢。

from bottle import route, run, app, get, abort, request

from StringIO import StringIO
import repoze
from repoze.who.middleware import PluggableAuthenticationMiddleware
from repoze.who.interfaces import IIdentifier
from repoze.who.interfaces import IChallenger
from repoze.who.plugins.basicauth import BasicAuthPlugin
from repoze.who.plugins.auth_tkt import AuthTktCookiePlugin
from repoze.who.plugins.cookie import InsecureCookiePlugin
from repoze.who.plugins.form import FormPlugin
from repoze.who.plugins.htpasswd import HTPasswdPlugin
from repoze.who.classifiers import default_request_classifier
from repoze.who.classifiers import default_challenge_decider    

import logging, sys
import pprint

@route('/')
def root():
    if request.environ.get('repoze.who.identity') is None:
        abort(401, "Not authenticated")
    return "Authenticated"


@route('/hello')
def index():
    identity = request.environ.get('repoze.who.identity')
    if identity == None:
        abort(401, "Not authenticated")

    user = identity.get('repoze.who.userid')
    return '<b>Hello %s!</b>' % user

@route('/logout')
def logout():
    # I have no idea what to put here
    pass

io = StringIO()
salt = 'aa'

for name, password in [ ('admin', 'admin'), ('paul', 'paul') ]:
    io.write('%s:%s\n' % (name, password))
io.seek(0)

def cleartext_check(password, hashed):
    return password == hashed

htpasswd = HTPasswdPlugin(io, cleartext_check)
basicauth = BasicAuthPlugin('repoze.who')
auth_tkt = AuthTktCookiePlugin('secret', 'auth_tkt')
form = FormPlugin('__do_login', rememberer_name='auth_tkt')
form.classifications = { IIdentifier:['browser'],
                         IChallenger:['browser'] }
identifiers = [('form', form),('auth_tkt',auth_tkt),('basicauth',basicauth)]
authenticators = [('htpasswd', htpasswd)]
challengers = [('form',form), ('basicauth',basicauth)]
mdproviders = []


log_stream = None
import os
if os.environ.get('WHO_LOG'):
    log_stream = sys.stdout

middleware = PluggableAuthenticationMiddleware(
    app(),
    identifiers,
    authenticators,
    challengers,
    mdproviders,
    default_request_classifier,
    default_challenge_decider,

    log_stream = log_stream,
    log_level = logging.DEBUG
    )

if __name__ == '__main__':
    run(app=middleware, host='0.0.0.0', port=8080, reloader=True)
else:
    application = middleware

run(host='0.0.0.0', port=8080)

Answer 1

如果可以，我会使用RedirectingFormPlugin而不是FormPlugin。RedirectingFormPlugin允许您注册注销网址。有了它，您就不必像RedirectingFormPlugin那样实现/logout处理程序了，它会为您截获请求并处理调用、忘记等等。我已经将它与Bobo和appengine一起使用，它工作得很好。

Answer 2

如果你仍然想在旧的repoze.who v1中使用不受欢迎的方法，下面的方法对我很有效：

from bottle import response # , redirect
# ...
@route('/logout')
def logout():
    identity = request.environ.get('repoze.who.identity')
    if identity:
        for (i_name, i) in identifiers:
            hdrs = i.forget(request.environ, identity)
            [ response.add_header(*h) for h in hdrs ]
    ## following would be nice, but does not work,
    ## since redirect is not using defined response headers
    # rfr = request.get_header('referer', '/')
    # redirect(rfr)
    ## so we do just this:
    return "you have been hopefully logged out"