Have handlers be @web.authenticated by default ?

[Carreau]

I've seen many extension forgetting to put @web.authenticated on handlers; I'm tempted to think that AuthenticatedFileHandler should use init_subclass – or whatever, peak at SUPPORTED_METHODS, and autowrap any handler in @web.authenticated unless the handler is marked with a specific @public decorator.

it's likely something like

def __init_subclass__(cls):
    for verb in cls.SUPPORTED_METHODS:
        meth = getattr(cls, verb, None):
		if meth and not getattr(meth, '_public', None):
           setattr(cls, verb, web.authenticated(meth))

Hard part is likely deprecation and detecting methods that are already in @web.authenticated, though that should be not too hard as it set the __wrapped__ attribute and wrapping twice with @web.authenticated should be no op.

I think from a security standpoint its a strict gain and likely a net decrease in code size as well (I can find just on this repo at least 44 mention of @web.authenticated.)

[echarles]

Having a secured by default core server, as extensions, sound like a feature we need. We just need to clearly document that extensions will require authentication unless the add a @public decorator

[krassowski]

@Zsailer I see that you had a commit referencing this issue, is there an associated PR or was it referenced by accident?