Currently I am working on a project that combines basic authentication with the cornice / pyramid framework.
From the logging I observe that every time a url is access the used credentials get checked twice. Since in our user case this does involve a lot of database checks, it is a potential target for an (unintended) DoS attack.
In my view I define a cornice Service with a factory. In my app setup I configured the pyramid provided BasicAuthenticationPolicy with the resource intensive check as a callback for authentication Also in the app setup I configure the pyramid provided ACLAuthorizationPolicy for authorisation.
So I was wondering, what I am missing, as I would really like to prevent the second check to take place. (Should I cache this on the request object in some secure way?)
Found by studing the code this is intended behaviour.
This behaviour is only triggered when the authenticated_userid property is used (which I do).
Solved this issue by 'caching' call's to my authentication function via a decorator. Which should be fine as the same objects will be referenced via the function parameters.
Documentation can be found in the pyramid package pyramid/authentication.py