PyPagekite allows front-ends to delegate authentication to a remote service according to a DNS-based authentication protocol. The command line option --authdomain is documented here.
If you are not familiar with DNS requests and responses, just play around with your Python console and socket.gethostbyname_ex(hostname)
import socket
socket.gethostbyname_ex('mail.google.com')
The answer should look like this:
('googlemail.l.google.com', ['mail.google.com'], ['173.194.35.21', '173.194.35.22'])
If the front-end is running with --authdomain=myauthdomain.com a lookup string may look like this:
(srand).(token).(sign).http.myname.example.com.myauthdomain.com
When a back-end is connecting, the front-end queries the DNS server and extracts authentication errors and extended quota info from CNAME replies.
(hn, al, ips) = socket.gethostbyname_ex(lookup)
The primary hostname is splitted into error, days and connections informations:
if al:
error, hg, hd, hc, junk = hn.split('.', 4)
q_days = int(hd, 16)
q_conns = int(hc, 16)
else:
error = q_days = q_conns = None
A few constants are defined in common.py
AUTH_ERRORS = '255.255.255.'
AUTH_ERR_USER_UNKNOWN = '.0'
AUTH_ERR_INVALID = '.1'
If ips[0] starts with '255.255.255.' then an authentication error just happened: the user may be unknown (ips[0] ends with '.0') or invalid (ips[0] ends with '.1').
Otherwise the user has been authenticated and the quota is encoded in the IP. Look at LookupDomainQuota to see how it works.
Comments