I understand python-eve support HMAC or token based authentication i.e. including the token or hash in the header for each request. however how shall we implement login in the first place i.e. the process we verify username and password before we provide them the token/hmac hash? shall we just accept an new route method like below and read the db directly or there is better way to do that?
app.route('/login', methods['POST'])
Ideally user ids, secret keys and tokens are provided through some out-of-band technique e.g., an e-mail, plain old paper, a webpage (not advisable). The client will use the supplied secret key to sign all requests.
Logins do not belong to REST services, which are stateless by definition (they don't store the state of the client, that's why you authenticate on every single request.)
My advice is to handle user registration on a different service/website than the API itself. In any case, make sure that the token/userid/secret key is being sent out-of-band. Man-in-the-middle attacks and the like could spoof the secret key, then use it to sign API requests on behalf of the intended client.
To properly implement token based authentication, ideally, you need to have an Identity Provider (IdP) to which you authenticate and returns a valid token (time limited) that you can then use in the Service Providers (i.e. your API) that trust the IdP.
This said, I guess you could do an initial basic auth as supported by Eve, and return a token that your client will use in subsequent requests. In my view, the security benefit would be that the credentials are vulnerable during the initial request only instead of on every single request. The drawback is that the IdP and the SP would be one and the same.
You can read more about token auth here:
Hope it helps.
