How do I handle logouts with repoze.who (and bottle.py)?

Question

I'm trying to make bottle.py work with repoze.who, and so far have managed to put together the following very simplistic program to get it working, using a combination of various examples I've found. Obviously this isn't something I'd run in production, I'm just trying to make the least complicated code I can so that I can learn how to use this - but unfortunately, tutorials for using bottle.py with repoze.who are very few and far between.

This example below works, and allows someone to login with username/password of admin/admin. What am I supposed to do with repoze.who to make the logout() function work? I gather there's a forget function that might be for this purpose, but I can't work out how I'm meant to call it.

Thanks.

from bottle import route, run, app, get, abort, request

from StringIO import StringIO
import repoze
from repoze.who.middleware import PluggableAuthenticationMiddleware
from repoze.who.interfaces import IIdentifier
from repoze.who.interfaces import IChallenger
from repoze.who.plugins.basicauth import BasicAuthPlugin
from repoze.who.plugins.auth_tkt import AuthTktCookiePlugin
from repoze.who.plugins.cookie import InsecureCookiePlugin
from repoze.who.plugins.form import FormPlugin
from repoze.who.plugins.htpasswd import HTPasswdPlugin
from repoze.who.classifiers import default_request_classifier
from repoze.who.classifiers import default_challenge_decider    

import logging, sys
import pprint

@route('/')
def root():
    if request.environ.get('repoze.who.identity') is None:
        abort(401, "Not authenticated")
    return "Authenticated"


@route('/hello')
def index():
    identity = request.environ.get('repoze.who.identity')
    if identity == None:
        abort(401, "Not authenticated")

    user = identity.get('repoze.who.userid')
    return '<b>Hello %s!</b>' % user

@route('/logout')
def logout():
    # I have no idea what to put here
    pass

io = StringIO()
salt = 'aa'

for name, password in [ ('admin', 'admin'), ('paul', 'paul') ]:
    io.write('%s:%s\n' % (name, password))
io.seek(0)

def cleartext_check(password, hashed):
    return password == hashed

htpasswd = HTPasswdPlugin(io, cleartext_check)
basicauth = BasicAuthPlugin('repoze.who')
auth_tkt = AuthTktCookiePlugin('secret', 'auth_tkt')
form = FormPlugin('__do_login', rememberer_name='auth_tkt')
form.classifications = { IIdentifier:['browser'],
                         IChallenger:['browser'] }
identifiers = [('form', form),('auth_tkt',auth_tkt),('basicauth',basicauth)]
authenticators = [('htpasswd', htpasswd)]
challengers = [('form',form), ('basicauth',basicauth)]
mdproviders = []


log_stream = None
import os
if os.environ.get('WHO_LOG'):
    log_stream = sys.stdout

middleware = PluggableAuthenticationMiddleware(
    app(),
    identifiers,
    authenticators,
    challengers,
    mdproviders,
    default_request_classifier,
    default_challenge_decider,

    log_stream = log_stream,
    log_level = logging.DEBUG
    )

if __name__ == '__main__':
    run(app=middleware, host='0.0.0.0', port=8080, reloader=True)
else:
    application = middleware

run(host='0.0.0.0', port=8080)

Answer 1

If you can I would use RedirectingFormPlugin rather than FormPlugin. RedirectingFormPlugin allows you to register a logout URL. With it you do not have to implement the /logout handler as such as the RedirectingFormPlugin intercepts the request and handles the calls to forget etc. for you. I have used this with Bobo and appengine and it works well.

Answer 2

if you still want to do it the unpreferred way in old repoze.who v1, following worked for me:

from bottle import response # , redirect
# ...
@route('/logout')
def logout():
    identity = request.environ.get('repoze.who.identity')
    if identity:
        for (i_name, i) in identifiers:
            hdrs = i.forget(request.environ, identity)
            [ response.add_header(*h) for h in hdrs ]
    ## following would be nice, but does not work,
    ## since redirect is not using defined response headers
    # rfr = request.get_header('referer', '/')
    # redirect(rfr)
    ## so we do just this:
    return "you have been hopefully logged out"