librelist archives

« back to archive

Flask-login token loader

Flask-login token loader

From:
Ben Judson
Date:
2012-09-26 @ 13:38
I'm setting up a Flask app with the flask-login extension. The flask-login
documentation recommends setting up an alternative token generator that 
does not simply use the user ID and app secret to create the session token
(which is the default method). But it doesn't provide any clear 
recommendations for how to do this.

So, for User.get_auth_token(), I'm using the make_secure_token function 
with the user email and password as parameters (so I get a hash of these 
parameters + app secret).

Next, I need to be able to get the user from the token with the 
token_loader callback. The default method for generating tokens in 
flask-login is to include both the raw user ID and a hash of the user ID +
app secret. That makes finding the user from the token pretty simple - 
just grab the ID and look up the user.

But should I be exposing the user ID in the session token at all? If I 
don't, should I store the session token in the database or somewhere else 
with the user ID to make a lookup possible?

In short: does anyone know what the best practice is for creating a secure
token & corresponding token_loader callback?

Re: [flask] Flask-login token loader

From:
Matt Wright
Date:
2012-09-26 @ 14:15
You can take a look at what I'm doing with Flask-Secutiy here:


https://github.com/mattupstate/flask-security/blob/develop/flask_security/core.py#L94

I'm using itsdangerous <http://packages.python.org/itsdangerous/> for
generating tokens, howerver.

On Wed, Sep 26, 2012 at 9:38 AM, Ben Judson <ben@saharagray.com> wrote:

> I'm setting up a Flask app with the flask-login extension. The flask-login
> documentation recommends setting up an alternative token generator that
> does not simply use the user ID and app secret to create the session token
> (which is the default method). But it doesn't provide any clear
> recommendations for how to do this.
>
> So, for User.get_auth_token(), I'm using the make_secure_token function
> with the user email and password as parameters (so I get a hash of these
> parameters + app secret).
>
> Next, I need to be able to get the user from the token with the
> token_loader callback. The default method for generating tokens in
> flask-login is to include both the raw user ID and a hash of the user ID +
> app secret. That makes finding the user from the token pretty simple - just
> grab the ID and look up the user.
>
> But should I be exposing the user ID in the session token at all? If I
> don't, should I store the session token in the database or somewhere else
> with the user ID to make a lookup possible?
>
> In short: does anyone know what the best practice is for creating a secure
> token & corresponding token_loader callback?
>

Re: [flask] Flask-login token loader

From:
Ben Judson
Date:
2012-09-26 @ 16:21
Ah, ok, I see what you are doing. So the user ID is passed in the token, 
but serialized along with the password hash. That makes sense.

thanks,
Ben.

On Sep 26, 2012, at 9:15 AM, Matt Wright wrote:

> You can take a look at what I'm doing with Flask-Secutiy here:
> 
> 
https://github.com/mattupstate/flask-security/blob/develop/flask_security/core.py#L94
> 
> I'm using itsdangerous for generating tokens, howerver.
> 
> On Wed, Sep 26, 2012 at 9:38 AM, Ben Judson <ben@saharagray.com> wrote:
> I'm setting up a Flask app with the flask-login extension. The 
flask-login documentation recommends setting up an alternative token 
generator that does not simply use the user ID and app secret to create 
the session token (which is the default method). But it doesn't provide 
any clear recommendations for how to do this.
> 
> So, for User.get_auth_token(), I'm using the make_secure_token function 
with the user email and password as parameters (so I get a hash of these 
parameters + app secret).
> 
> Next, I need to be able to get the user from the token with the 
token_loader callback. The default method for generating tokens in 
flask-login is to include both the raw user ID and a hash of the user ID +
app secret. That makes finding the user from the token pretty simple - 
just grab the ID and look up the user.
> 
> But should I be exposing the user ID in the session token at all? If I 
don't, should I store the session token in the database or somewhere else 
with the user ID to make a lookup possible?
> 
> In short: does anyone know what the best practice is for creating a 
secure token & corresponding token_loader callback?
> 
>