Tornado is an open source web server developed by Facebook.
It implement various third-party authentication schemes to connect to services like Facebook, Google OAuth, Twitter, etc.
But Tornado doesn’t provide a good documentation when you try to handle your own login service.
I tried to do mine.
My goal is to allow a user to access my web application when he has good permissions.
I add 3 handlers, one for my index (MainHandler), one for my login page (AuthLoginHandler),
one for my logout page (AuthLogoutHandler).
The settings[“login_url”] property set the url to be used by the @authenticated decorator.
What I want is to redirect the user to login url (/auth/login/) if he’s not identified.
It’s so simple, isn’t it ?
It remains for me to create a handler for my login screen, and a handler to delete my cookie when i reach auth/logout/ url.
My login handler get method render the login.html page.
When a user makes a POST request on /auth/login/,
my web server validates if the pair username/password is good and writes the user cookie.
Otherwise it redirects the user to the login page with an error message.
All the current user informations are saved in a secure cookie.
Tornado provide set_secure_cookie and get_secure_cookie methods.
These two methods use a cookie secret key to encrypt the cookie.