When the built-in plugin kinto.plugins.accounts
is enabled in configuration, it becomes possible to manage accounts via a new resource /accounts
.
Via this endpoint, users can sign-up, modify their password or delete their account. Administrators configured in settings can manage users accounts.
Important
This plugin is highly experimental
Add the following settings to the .ini
file:
# Enable built-in plugin.
kinto.includes = kinto.plugins.accounts
# Enable authenticated policy.
multiauth.policies = account
multiauth.policy.account.use = kinto.plugins.accounts.authentication.AccountsAuthenticationPolicy
# Allow anyone to create accounts.
kinto.account_create_principals = system.Everyone
Accounts are defined using a username and a password, and uses Basic Authentication.
For example, once the bob
account has been created, you can check if authentication works using the Hello view <api-utilities>
.
bash
$ http GET http://localhost:8888/v1/ --auth bob:azerty123
http
GET /v1/ HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate Authorization: Basic Ym9iOmF6ZXJ0eTEyMw== Connection: keep-alive Host: localhost:8888 User-Agent: HTTPie/0.9.8
http
HTTP/1.1 200 OK Access-Control-Expose-Headers: Alert, Backoff, Content-Length, Retry-After Content-Length: 448 Content-Type: application/json Date: Tue, 21 Mar 2017 14:40:14 GMT Server: waitress X-Content-Type-Options: nosniff
- {
- "capabilities": {
- "accounts": {
"description": "Manage user accounts.", "url": "http://kinto.readthedocs.io/en/latest/api/1.x/accounts.html"
}
}, "http_api_version": 1.16, "project_docs": "https://kinto.readthedocs.io/", "project_name": "kinto", "project_version": "6.1.0.dev0", "settings": { "batch_max_requests": 25, "readonly": false }, "url": "http://localhost:8888/v1/", "user": { "id": "account:bob", "principals": [ "account:bob", "system.Everyone", "system.Authenticated" ] }
}
It is possible to configure administrators in settings. They will be able to manage others users accounts via the API.
First create the actual accounts:
$ echo '{"data": {"password": "azerty123"}}' | http PUT http://localhost:8888/v1/accounts/admin
Then mention the created accounts via the following settings in the .ini
file. For example to account IDs admin
and members of the admin
groups in the bid
bucket:
# Give read/write access to all accounts to ``account:admin``.
kinto.account_write_principals = account:admin /buckets/bid/groups/admin
kinto.account_read_principals = account:admin /buckets/bid/groups/admin
Note
It is not very convenient to require a server restart for configuring administrators. But we thought it was acceptable as a first iteration.