--- a/docs/api/auth.rst Tue Apr 28 11:04:03 2015 +0200
+++ b/docs/api/auth.rst Wed Feb 25 22:40:39 2015 +0100
@@ -7,6 +7,6 @@
.. autofunction:: includeme
- .. autoclass:: CubicWebAuthTktAuthenticationPolicy
+ .. autoclass:: UpdateLoginTimeAuthenticationPolicy
:show-inheritance:
:members:
--- a/docs/index.rst Tue Apr 28 11:04:03 2015 +0200
+++ b/docs/index.rst Wed Feb 25 22:40:39 2015 +0100
@@ -23,6 +23,7 @@
narr/quickstart
narr/ctl
narr/settings
+ narr/auth
narr/profiling
Api Documentation
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/docs/narr/auth.rst Wed Feb 25 22:40:39 2015 +0100
@@ -0,0 +1,40 @@
+Authentication
+==============
+
+Overview
+--------
+
+A default authentication stack is provided by the :mod:`pyramid_cubicweb.auth`
+module, which is included by :mod:`pyramid_cubicweb.default`.
+
+The authentication stack is built around `pyramid_multiauth`_, and provides a
+few default policies that reproduce the default cubicweb behavior.
+
+.. note::
+
+ Note that this module only provides an authentication policy, not the views
+ that handle the login form. See :ref:`login_module`
+
+Customize
+---------
+
+The default policies can be individually deactivated, as well as the default
+authentication callback that returns the current user groups as :term:`principals`.
+
+The following settings can be set to `False`:
+
+- :confval:`cubicweb.auth.update_login_time`. Activate the policy that update
+ the user `login_time` when `remember` is called.
+- :confval:`cubicweb.auth.authtkt` and all its subvalues.
+- :confval:`cubicweb.auth.groups_principals`
+
+Additionnal policies can be added by accessing the MultiAuthenticationPolicy
+instance in the registry:
+
+.. code-block:: python
+
+ mypolicy = SomePolicy()
+ authpolicy = config.registry['cubicweb.authpolicy']
+ authpolicy._policies.append(mypolicy)
+
+.. _pyramid_multiauth: https://github.com/mozilla-services/pyramid_multiauth
--- a/docs/narr/settings.rst Tue Apr 28 11:04:03 2015 +0200
+++ b/docs/narr/settings.rst Wed Feb 25 22:40:39 2015 +0100
@@ -86,3 +86,57 @@
.. confval:: cubicweb.profile (bool)
(False) Enable/disable profiling. See :ref:`profiling`.
+
+.. confval:: cubicweb.auth.update_login_time (bool)
+
+ (True) Add a :class:`pyramid_cubicweb.auth.UpdateLoginTimeAuthenticationPolicy`
+ policy, that update the CWUser.login_time attribute when a user login.
+
+.. confval:: cubicweb.auth.authtkt (bool)
+
+ (True) Enables the 2 cookie-base auth policies, which activate/deactivate
+ depending on the `persistent` argument passed to `remember`.
+
+ The default login views set persistent to True if a `__setauthcookie`
+ parameters is passed to them, and evals to True in
+ :func:`pyramid.settings.asbool`.
+
+ The configuration values of the policies are arguments for
+ :class:`pyramid.authentication.AuthTktAuthenticationPolicy`.
+
+ The first policy handles session authentication. It doesn't get
+ activated if `remember()` is called with `persistent=False`:
+
+ .. confval:: cubicweb.auth.authtkt.session.cookie_name (str)
+
+ ('auth_tkt') The cookie name. Must be different from the persistent
+ authentication cookie name.
+
+ .. confval:: cubicweb.auth.authtkt.session.timeout (int)
+
+ (1200) Cookie timeout.
+
+ .. confval:: cubicweb.auth.authtkt.session.reissue_time (int)
+
+ (120) Reissue time.
+
+ The second policy handles persistent authentication. It doesn't get
+ activated if `remember()` is called with `persistent=True`:
+
+ .. confval:: cubicweb.auth.authtkt.persistent.cookie_name (str)
+
+ ('auth_tkt') The cookie name. Must be different from the session
+ authentication cookie name.
+
+ .. confval:: cubicweb.auth.authtkt.persistent.max_age (int)
+
+ (30 days) Max age in seconds.
+
+ .. confval:: cubicweb.auth.authtkt.persistent.reissue_time (int)
+
+ (1 day) Reissue time in seconds.
+
+.. confval:: cubicweb.auth.groups_principals (bool)
+
+ (True) Setup a callback on the authentication stack that inject the user
+ groups in the principals.