Written by RJ Marcus on April 8, 2015.
In order to protect our site from spam, unwanted responses, and general attacks, we decided to use tornado’s built in authenticator to screen our visitors before allowing them to enter. This functionality is very elegant and simple to use because the programmer only needs to include an “@authenticated” decorator at the beginning of a request handler class in order to check to see if the requester has the necessary cookies to be viewing the page. The tricky part of this implementation is distributing cookies.
When accessing the site through any normal URL the user will be redirected to the login page, which is meant for requesters and developers to log into the backend of the site. Here a secure cookie is given to the user once they log in with the correct username and password. The username and password are verified for correct string characteristics before being used in a query (enough characters, no special characters, etc.). Usernames and passwords are kept in a separate database and placeholders are used in queries to this database.
On the other hand, GETs from workers that come from amazon are expected to enter through a specific URL suffix “/hit/”. Workers will be automatically handed a cookie based on their workerID and the hitID for the HIT they are performing. This cookie allows them to stay within the “/hit/” portion of the website and expires when they leave the site.