Now, we will compose and send an HTTP request to retrieve the first page of the messages without authentication credentials:
http POST ':5000/api/messages/?page=1'
The following is the equivalent curl command:
curl -iX GET ':5000/api/messages/?page=1'
We will receive a 401 Unauthorized status code in the response header. The following lines show a sample response:
HTTP/1.0 401 UNAUTHORIZED Content-Length: 19 Content-Type: text/html; charset=utf-8 Date: Mon, 15 Aug 2016 01:16:36 GMT Server: Werkzeug/0.11.10 Python/3.5.1 WWW-Authenticate: Basic realm="Authentication Required"
If we want to retrieve messages, that is, to make a GET request to /api/messages/, we need to provide authentication credentials using HTTP authentication. However, before we can do this, it is necessary to create a new user. We will use the new user to test our new resource classes related to users and our changes in the permissions policies.
http POST :5000/api/users/ name='brandon' password='brandonpassword'
The following is the equivalent curl command:
curl -iX POST -H "Content-Type: application/json" -d '{"name": "brandon",
"password": "brandonpassword"}' :5000/api/users/
The previous command will compose and send a POST HTTP request with the specified JSON key-value pairs. The requests specify /api/user/, and therefore, it will match the '/users/' URL route for the UserList resource and run the UserList.post method that doesn't require authentication. The method doesn't receive arguments because the URL route doesn't include any parameters. As the HTTP verb for the request is POST, Flask calls the post method.
The previously specified password only includes lowercase letters, and therefore, it doesn't fulfil all the qualitative requirements we have specified for the passwords in the User.check_password_strength_and_hash_if_ok method. Thus, We will receive a 400 Bad Request status code in the response header and the error message indicating the requirement that the password didn't fulfil in the JSON body. The following lines show a sample response:
HTTP/1.0 400 BAD REQUEST
Content-Length: 75
Content-Type: application/json
Date: Mon, 15 Aug 2016 01:29:55 GMT
Server: Werkzeug/0.11.10 Python/3.5.1
{
"error": "The password must include at least one uppercase letter"
}
The following command will create a user with a valid password:
http POST :5000/api/users/ name='brandon' password='iA4!V3riS#c^R9'
The following is the equivalent curl command:
curl -iX POST -H "Content-Type: application/json" -d '{"name": "brandon", "password": "iA4!V3riS#c^R9"}' :5000/api/users/
If the new User instance is successfully persisted in the database, the call will return an HTTP 201 Created status code and the recently persisted User serialized to JSON in the response body. The following lines show an example response for the HTTP requests, with the new User object in the JSON responses. Note that the response includes the URL, url, for the created user and doesn't include any information related to the password.
HTTP/1.0 201 CREATED Content-Length: 87 Content-Type: application/json Date: Mon, 15 Aug 2016 01:33:23 GMT Server: Werkzeug/0.11.10 Python/3.5.1 { "id": 1, "name": "brandon", "url": "http://localhost:5000/api/users/1" }
We can run the previously explained command to check the contents of the user table that the migrations created in the PostgreSQL database. We will notice that the hashed_password field contents are hashed for the new row in the user table. The following screenshot shows the contents for the new row of the user table in a PostgreSQL database after running the HTTP request:
If we want to retrieve the first page of messages, that is, to make a GET request to /api/messages/, we need to provide authentication credentials using HTTP authentication. Now, we will compose and send an HTTP request to retrieve the first page of messages with authentication credentials, that is, with the user name and the password we have recently created:
http -a 'brandon':'iA4!V3riS#c^R9' ':5000/api/messages/?page=1'
The following is the equivalent curl command:
curl --user 'brandon':'iA4!V3riS#c^R9' -iX GET ':5000/api/messages/?page=1'
The user will be successfully authenticated and we will be able to process the request to retrieve the first page of messages. With all the changes we have made to our API, unauthenticated requests can only create a new user.