Creating Web service for login in python with tornado

Question

Just for knowing how tornado works(I am a beginner with python and tornado) for providing service to a login page. I have a html page which sends parameters as {"data":{"Email":"adsf","Password":"asdf","Type":3}} but i don know how to get the parameters in tornado.

my login.py

import motor
import tornado.ioloop
import tornado.web
import http

client = motor.MotorClient('localhost', 27017)
db = client.yc


class LoginHandler(tornado.web.RequestHandler):
    def get(self):
        self.check_basic_auth()
        do_stuff()

   def post(self):
     print("test")

   def options(self):
     print("option")
     self._headers['Access-Control-Allow-Origin'] = '*'
     self._headers['Access-Control-Allow-Headers'] = 'Content-Type'

    from pprint import pprint

    pprint(vars(self))


if __name__ == "__main__":
    application = tornado.web.Application([
    (r"/user", LoginHandler)
    ], db=db)
    application.listen(5000)
    tornado.ioloop.IOLoop.current().start()

please guide me on how to get the parameters and verify them with the values in my mongodb

thanks in advance

I am just a beginner.

Answer 1

Please read Tornado's authentication and security guide thoroughly. I've adapted this from Tornado's guide to look up user record in Mongodb:

class BaseHandler(tornado.web.RequestHandler):
    def get_current_user(self):
        return self.get_secure_cookie("user")

class MainHandler(BaseHandler):
    def get(self):
        if not self.current_user:
            self.redirect("/login")
            return
        name = tornado.escape.xhtml_escape(self.current_user)
        self.write("Hello, " + name)

class LoginHandler(BaseHandler):
    def get(self):
        self.write('<html><body><form action="/login" method="post">'
                   'Name: <input type="text" name="name">'
                   'Password: <input type="password" name="password">'
                   '<input type="submit" value="Sign in">'
                   '</form></body></html>')

    @gen.coroutine
    def post(self):
        # TODO: salt and hash the password before storing in the DB, then salt
        # and hash the user's input password before comparing.
        username = self.get_argument("name")
        password = self.get_argument("password")
        doc = yield db.accounts.find_one({"name": username,
                                          "password": password})
        if doc:
            self.set_secure_cookie("user", username)
            self.redirect("/")
        else:
            # No such user or wrong password.
            self.redirect("/login")


if __name__ == "__main__":
    application = tornado.web.Application([
        (r"/", MainHandler),
        (r"/login", LoginHandler)
    ], cookie_secret='SOME RANDOM STRING')
    application.listen(5000)
    tornado.ioloop.IOLoop.current().start()

There's still some problems with this code: it should show the user a message after reloading the login page, something like "Incorrect username or password." Try this flash-message code snippet .

This code is also insecure: the passwords are stored in MongoDB in cleartext, so anyone who can get a copy of a database backup knows your users' passwords. Passwords should be salted and hashed before being stored in the database.

And of course, you should require an HTTPS secure connection for users to log in.