Usage¶
Views included¶
There are four views provided by django-valet-keys:
- valet_keys.views.list
- The “home page” for django-valet-keys, listing all of a user’s keys and offering a link to create a new one. It’s handy to offer a link to this view from a profile or settings page.
- valet_keys.views.new
- Accepts a user-authored description and generates a new key.
- valet_keys.views.disable
- Allows a user to disable a key, linked from the list view. Note that keys are never deleted, only disabled. This preserves recorded history and allows later investigation of robot misbehavior.
- valet_keys.views.history
- Paginated view of usage history for a key, linked from the list view.
Note
There’s no edit view. Keys can be created or disabled, but are otherwise immutable. The only user-serviceable part is the description of the key; user name and password are randomly generated.
The @accepts_valet_key decorator¶
In your views, the @accepts_valet_key decorator is the primary way to support valet keys. For example:
from django.http import HttpResponse
from valet_keys.decorators import accepts_valet_key
@accepts_valet_key
def hello(request):
if request.valet_key:
msg = 'HELLO ROBOT, I SEE YOU ARE IMPERSONATING %s' % request.user
elif request.user.is_authenticated():
msg = 'Why, hello there Mr. User!'
else:
msg = 'Welcome, guest.'
response = HttpResponse(msg)
response['Content-Type'] = 'text/plain'
return response
The above demonstrates the features of the @accepts_valet_key decorator:
- request.valet_key is set to None, if the request did not present a valid key in HTTP Basic Auth.
- request.valet_key contains an instance of valet_keys.models.Key if there was a valid key presented via HTTP Basic Auth.
- Additionally, request.user is set to the Django User who owns the valet key.
The Key model and activity logging¶
As mentioned above, views decorated with @accepts_valet_key will receive an instance of valet_keys.models.Key in request.valet_key if a valid key was presented via HTTP Basic Auth.
The presence of this instance (ie. not None) is useful for detecting access by an authorized robot. However, there is also a logging method presented by the Key model object which is useful for recording what the robot did while acting on a user’s behalf. It works like so:
@accepts_valet_key
def comment(request, slug):
blog_post = get_object_or_404(BlogPost, slug=slug)
if 'POST' == request.method and request.valet_key:
content = request.POST['comment']
blog_post.add_comment(content)
request.valet_key.log('blog.commented', blog_post, content)
As demonstrated in this pseudo-code, the Key model offers a log method that accepts these parameters:
- action
- Arbitrary string naming an action, handy when prefixed with an app name.
- content_object
- An optional content object on which the action was performed.
- notes
- Arbitrary text offering further description of the action.
Calls to log result in entries visible on the valet_keys.views.history view, thus offering rudimentary key usage tracking.
Note
This is a pretty cruddy logging API, so pull requests welcome!