Krzysztof Żuraw

Personal site

JSON Web Tokens in django application- part two

In this blog post, I will deal with creating simple Django application for creating tasks using django rest framework.

From this blog post, you can learn how to setup basic DRF application.

Overview of application

The main goal of this application is to create tasks. Each task has a title - string with a maximum length of 100 characters. Task also has a person to which it is bound (many to one relation - ForeginKey). The last thing that task have is date and time which given task is due to. The user can easily modify each of tasks so GET, POST, PUT and DELETE methods are supported.

As we know how the application is designed let's jump into the code.

Application code

First, there is a need to create model for Task:

from django.db import models
from django.contrib.auth.models import User

class Task(models.Model):
    title = models.CharField(max_length=100)
    person = models.ForeignKey(User)
    due_to = models.DateTimeField()

    def __str__(self):
        return 'Task with title: {}'.format(self.title)

The arguments of Task correspond to what was written in the overview.

As we have models ready now it's time to create serializers so data from database can be converted to stream of bytes:

from rest_framework import serializers
from .models import Task
from django.contrib.auth.models import User

class TaskSerializer(serializers.HyperlinkedModelSerializer):
    class Meta:
        model = Task

class UserSerializer(serializers.ModelSerializer):
    class Meta:
        model = User

As you can see in TaskSerializer I used HyperlinkedModelSerializer as a type of serializer that I want to use - thanks to that response from my application will have hyperlinks to resources instead of just primary keys that are used in UserSerializer. In this serializer, I use django User as a source of data. I have to do this because Task model has a reference to User and without serialization of the second one I cannot serialize the task.

Right now I have my models and serializers ready so it's time to create some views and urls. For a typical usage of views, DRF gives you generic viewsets like ModelViewSet. ViewSet is a combination of the logic for a set of related views in a single class. How do views look like?

from rest_framework import viewsets
from .models import Task
from .serializers import TaskSerializer, UserSerializer
from django.contrib.auth.models import User

class TaskViewSet(viewsets.ModelViewSet):
    queryset = Task.objects.all()
    serializer_class = TaskSerializer

class UserViewSet(viewsets.ModelViewSet):
    queryset = User.objects.all()
    serializer_class = UserSerializer

I created 2 viewsets. The only thing that I need to provide is queryset and serializer_class arguments so viewsets know which data they needed to take and which serializer use. Right now there is only one thing missing - urls:

from django.conf.urls import url, include
from django.contrib import admin
from tasks import views
from rest_framework.routers import DefaultRouter

router = DefaultRouter()
router.register(r'tasks', views.TaskViewSet)
router.register(r'users', views.UserViewSet)

urlpatterns = [
    url(r'^', include(router.urls)),

Here I set up DefaultRouter and hook TaskViewSet and UserViewSet to it. Router is a way of building common routes for a resource. To get all tasks - I go to /tasks uri. To retrieve first task I type tasks/1. I can write this in urlpatterns but the router is doing the same for me automatically.

Right now I can try my application:

$ http GET
HTTP/1.0 200 OK
Content-Type: application/json
Date: Sun, 23 Oct 2016 08:36:23 GMT
Server: WSGIServer/0.2 CPython/3.5.1
Vary: Accept, Cookie
X-Frame-Options: SAMEORIGIN

    "tasks": "",
    "users": ""

$ http GET
HTTP/1.0 200 OK
Content-Type: application/json
Date: Sun, 23 Oct 2016 08:45:50 GMT
Server: WSGIServer/0.2 CPython/3.5.1
Vary: Accept, Cookie
X-Frame-Options: SAMEORIGIN

        "due_to": "2016-10-18T19:12:01Z",
        "person": "",
        "title": "First one",
        "url": ""
        "due_to": "2016-10-18T19:12:10Z",
        "person": "",
        "title": "Second one",
        "url": ""

That's all for today! In the next post, I will make authentication with JWT. Stay tuned!

Code for this blog post is under this github.

Other blog posts in this series

Special thanks to Kasia for being editor for this post. Thank you.

Cover picture by Lalmch under CC0 Public Domain.

To see comments and full article enter: JSON Web Tokens in django application- part two

PyConPL 2016

This weekend I was on PyConPL conference. This is a short relation from this event.

Table of Contents:

Day 1

I was on a presentation by Marcin Bardź PostgreSQL i SQLAlchemy Duet (nie)doskonały. It was a talk about the tandem of two tools that are commonly used in Python world: PostreSQL and SQLAlchemy. In this talk, Marcin presented a basic description of what exactly a database is, how postgresql is meeting the requirements of a good database. Then he talked about SQLAlchemy basic stuff like quering, creating tables or making relations. I would have liked this talk more if it would been for more experienced people. But in general it was a good talk.

Day 2

It was a hard day. Only talks that I had time to attend were lightning talks where I found a range of topics starting from python tests to golf coding contest. As I am on this topic I was one of the makers of my company Code Golf game - It was a simple code golf game in which contestants had to solve one of the following tasks: game of life, tic tac toe and reverse polish notation. What I have learned from this is that there always have to be tests. ALWAYS. I don't have ones and as it turns out there was a problem that my test cases that were supposed to test code were bugged and solving this issue on spot isn't pleasant.

Day 3

In the morning I was attending talk by Michał Lowas Rzecionek about Async pod maską. It was an interesting talk about what exactly is going on under the hood in Next presentation that I happened to be at was a keynote by Jessica McKellar about systems. It was an interesting talk mainly about current social systems and their relation to programming.

Day 4

During the conference, there was a very interesting capture the flag competition. The theme of this CTF was the Lord of the Rings. As it turns out there was about 60 teams of 2 people. Tasks were not so easy and many people did not do all 10 tasks. Right after that there was a talk by Kasia Jachim about how to write code that is not testable. To be honest I really don't know what this talk was about.

This was my short relation from this year PyConPl 2016. What are your feelings? Please tell me in comments.

Special thanks to Kasia for being editor for this post. Thank you.

Cover picture taken from Hotel Ossa.

To see comments and full article enter: PyConPL 2016

Microservices in Flask

I recently gave a talk about microservices in Flask on Wrocpy. This blog post is a translation of that talk into English.

Monolithic application

Microservices talk usually starts with a monolithic application. In my case, it is the same. I work on a project where I have a big monolithic application. If I wanted to take some part of it and make some microservice from for instance django app it would be impossible. There are too many internal imports from every part of application:

from app.users.models import UserSiteProfile
from app.utils.cache import cache_key_user
from app.sites.models import SiteProfile
from app.sites.utils import site_terms
from app.utils.users import get_homepage_url
from app.utils.views import ThemedFormView, ThemedTemplateView
from app.authentication import signals
from app.authentication.forms import AuthForm, EmailForm
from app.authentication.idp import (
    is_valid_idp, MultipleIDPError, saml_available,
    site_idp, user_idp_lookup)
from app.authentication.loginchecks import (
    check_account_expiration, get_site_login_errors,
from app.saml.utils import site_specific_config_loader
from app.saml.views import _get_subject_id

Snippet from above presents exemplary imports of random python module in my project.

So where are these microservices? In my team, we decided to have new parts of the application made as a microservices. So right now from the architectural point of view I have a big monolithic application and small microservices that are around this big thing, like in this picture:

Microservices in my project

Picture from link.

Flask microservices

We choose the flask as a tool that will be used in our microservices. It doesn't set any boundaries and it's flexible but don't have batteries included. Let's start with the first flask extension that helps us building microservices:


Django has a set of powerful commands available. To enable such a feature in flask you need Flask-Script. It allows you to create commands such as runserver or shell. In listing below I created a runserver command:

from flask.ext.script import Manager, Shell, Server
from my_app.application import app

manager = Manager(app)
    Server(host='', port=7000, use_debugger=True)


To communicate between microservices I use REST. To ease yourself when creating resources and endpoints you can use Flask-RESTful. It is superuseful when you need to create REST API. It is easy- you specify endpoint with resource and rest is done by Flask-RESTful. It also has request parsing and it is very easy to create other representations like xml. The snippet below shows it:

from flask_restful import Resource

class MyResource(Resource):
    def get():
        return {'OK'}
def output_xml(data, code, headers=None):
    response = make_response(dicttoxml.dicttoxml(data), code)
    inject_headers(response, headers)
    return response

Marshallow & flask-marshallow

To serialize or deserialize objects you can use flask-marshallow. In code below, I created a simple Schema with id, name and url. Then when the user enters /api/custom/1 I can easily serialize objects from a database and return JSON.

ma = Marshmallow(app)

class CustomSchema(ma.Schema):
    id = ma.Int(dump_only=True)
    name = ma.Str(required=True)
    url = ma.Url(relative=True)

    def users():
        all_obj = Object.all()
        result = object_schema.dump(all_obj)
        return jsonify(


Most of the modern frameworks have support for ORM- the same is with Flask. There is an extension called Flask-SQLAchemy that adds support for SQLAlchemy. Take this snippet for instance:

from flask.ext.sqlalchemy import SQLAlchemy
db = SQLAlchemy(app)

class MyModel(db.Model):
    GROUP = 'group'
    USER = 'user'
    TYPES = [
        (GROUP, GROUP),
        (USER, USER),

    __tablename__ = 'my_model'
    id = db.Column(db.Integer, primary_key=True)
    model_type = db.Column(ChoiceType(TYPES))
    model_value_id = db.Column(db.Integer, db.ForeignKey(''))
    value = db.Column(db.String(1024))

    def __init__(self, model_type, model_value_id, value):
        self.share_type = share_type
        self.rule_value_id = rule_value_id
        self.value = value

I created MyModel class that will be translated to the table in a database. I also add columns to that table like model_type, model_value_id or value.

Flask SQLAlchemy is layer sitting on top of SQLAlchemy so you can use all advantages of ORM like having queries written in python.


When your database keeps getting larger there is a need for database migrations to make sure that everyone has the same database structure. To accomplish that we use Flask-Migrate. It is using Alembic under the hood so you have to make sure that adjust your migration files after generation. Example migration file can look as follows:

def upgrade():
        sa.Column('id', sa.Integer(), nullable=False),
        sa.Column('value', sa.String(length=1024), nullable=True),
        sa.Column('id', sa.Integer(), nullable=False),
        sa.Column('model_value_id', sa.Integer(), nullable=True),
        sa.Column('value', sa.String(length=1024), nullable=True),
        sa.ForeignKeyConstraint(['model_value_id'], ['']),

In snipped above I created two tables: my_model and my_model_values with respective columns. Also my_model_values has ForeignKey relation to my_model by their ids.


During the development of microservices, we write unit tests as well as integration ones. Testing how well microservices behave with each other can be tricky: we mock whole external services. Because of that, we need to keep them up to date with real microservices. Nature of this system causes some difficulties while an error occurs: I got an error from external microservice in most cases with a form of HTTP status code and a small message in JSON or XML. Then I need to debug not only my microservice but also external one.


After testing is done we deploy microservice using few tools:


We use puppet for managing and provisioning our microservices. Especially we use an R10k module for puppet: gtihub link.


To make sure that every microservice has the same structure we also use cookiecutter. Thanks to that puppet knows that config file is always in this location or there will be logs stored there. Example microservice structure will look as follows:

└── flask_microservice
    ├── AUTHORS.rst
    ├── debian
    ├── docs
    │   ├── make.bat
    │   ├── Makefile
    │   └── source
    │       ├── authors.rst
    │       ├──
    │       ├── contributing.rst
    │       ├── history.rst
    │       ├── index.rst
    │       ├── readme.rst
    │       ├── technical_details.rst
    │       └── usage.rst
    |── HISTORY.rst
    ├── README.rst
        ├── requirements.txt
        ├── setup.cfg
        ├── src
        │   ├── flask_microservice
        │   │   ├──
        │   │   ├── default_config.ini
        │   │   ├──
        │   │   └──
        │   └── tests
        │       ├──
        │       └──
        └── tox.ini


To distribute packages we use dh-virtualenv. This basically is taking python virtual enviroments and packing it to deb packages. So to have new code released we just run jenkins job to create new deb.

That's all for today! The slides from this presentation can be found here: presentation. Do you also use flask to build microservices? Please give your comments about that.

Special thanks to Kasia for being editor for this post. Thank you.

Cover image by NASA JPL - Nasa JPL under CC0 Public Domain.

To see comments and full article enter: Microservices in Flask

JSON Web Tokens in django application- part one

Recently I attended a workshop about web security. During these hours I learnt quite a lot but one thing got my attention- JWT. Based on that I decided to write a blog post series about how to use JSON Web Tokens in simple django application. Today it is the first part of this series.

What is JWT?

JWT aka JSON Web Tokens is a method of authentication. What it does: You as a user first send a request to the server saying: I want to login! And server gives you in response a long sequence of characters. As you get this sequence you can use it as a way to tell the server that you are the person you really are.

In a more technical sense: you send a request which logs you to service for example headers with login and password. In response, you got encrypted token. Then you want to get some info about another resource on the server that requires authentication. So to your request you simply add one more header with previously received token and that's all! You are authenticated.

JSON Web Token looks like this:


The header is a JSON that consists of a type of token (JWT) and which hash algorithm will be used (HMAC SHA256 or RSA). HMAC stands for keyed-Hash Message Authentication Code. Message Authentication Code (MAC) is used to confirm that message comes from the good sender and its integrity has not been changed. Keyed-Hash stands for hashing MAC in combination with a secret key.

The payload contains the claims. Claim store information user wants to transmit and server can use to properly handle authentication. There are a lot of registered claims but we will use only:

  • "exp" (Expiration Time) Claim
  • "nbf" (Not Before Time) Claim
  • "iss" (Issuer) Claim
  • "aud" (Audience) Claim
  • "iat" (Issued At) Claim

Payload will look like this:

  "exp": "1234567890",
  "name": "Krzysztof Zuraw",

Last part is a signature. It is basically the sum of all previously mentioned parts encoded in base64 + secret.

How can you use JWT and why?

When you get your response back from a server with JSON Web Token you can use it in header like this:

Authorization: Bearer <JWT token>

In comparison with another method of authentication: SAML, JWT is more compact. JSON format is widely used in programming word so there is no problem with parsers for that format.

That's all for today and stay tuned for the next post in blog series about JWT!

Other blog posts in this series:

Special thanks to Kasia for being editor for this post. Thank you.

Cover picture by Lalmch under CC0 Public Domain.

To see comments and full article enter: JSON Web Tokens in django application- part one

Archives from memory- libarchive

This blog post is about python wrapper around libarchive and how to use it to generate archive from memory.

Libarchive & python-libarchive-c

If you happen to learn more about how to create archives in various formats like tar, iso or zip I bet you heard about libarchive. It is widely used archive library written in C.

To use it within python you can choose from a few libraries but one that is currently maintained is called python-libarchive-c. When in my work I was to implement the feature of adding entries to archive from memory I decided to use existing module and give something back to a community in form of an open source contribution.

Add entry from memory

To make such a feature I have to reread carefully code examples in libarchive c itself. I also get familiar with few archive formats and their limitations. But enough talking lets jump to the code:

import requests
import libarchive

def create_archive_from_memory_file():
    response = requests.get('link', stream=True)

    with libarchive.file_writer('', 'zip') as archive:

if __name__ == '__main__':

My changes in code have not been released so make sure that you install python-libarchive-c from github like this (to run this script you also need requests library):

$ pip install git+

In this snippet, I use request feature that doesn't require loading the whole content of the response to memory but instead I add the argument: stream=True and then I use response.iter_content(chunk_size=1024). Rest of the code is simply calling add_file_from_memory with a path (entry_path) and size of the entry in an archive (entry_size).

Under the hood, python-libarchive-c is using c_types with ffi to call libarchive functions. At first, it setup path to entry then sets its size, filetype and permission which file will be saved in the archive. Then write the header and start iterating through the entry_data by chunks and write them. At the end, header is set and archive is ready for user.

To see it in action have snippet above as and run this script:

$ python
$ ls -la
-rw-r--r--. 1 kzuraw kzuraw 11M 09-24 13:04
-rw-rw-r--. 1 kzuraw kzuraw 511 09-24 12:59

That's all for this week. Feel free to comment and if you have any questions don't hesitate to ask them.

Special thanks to Kasia for being editor for this post. Thank you.

Cover image by Archivo-FSP under CC BY-SA 3.0.

To see comments and full article enter: Archives from memory- libarchive

Page 1 / 8