librelist archives

« back to archive

Flask login mechanisim to authenticate per token my calls

Flask login mechanisim to authenticate per token my calls

From:
Jose Ayerdis
Date:
2013-01-16 @ 14:36
Hi I was looking at flask-login at handles the session login nicely, this
work good for templating and views where I have access to the session.

Nevertheless I have been trying to know if there is a way I can send a
user_token to authorized a call. I looked at the documentstion and is very
vague regarding this. It said that I should

   - Implement get_auth_token in my User object.
   - Decorte a @user_loader function that can load the user token base.

I have though seen the following (please correct me If I am wrong)

   - Cookie base to store the auth token is there a way I can decide to
   send the token as part of the parameters, body or in the headers insteado
   having to get it from the cookie.
   - I am not quite sure how to authenticate a call with auth token.


Crossposted in

http://stackoverflow.com/questions/14335892/flask-login-mechanisim-to-authenticate-per-token-my-calls

Sincerly yours,

[Jose Luis Ayerdis Espinoza]
Necronet.info |
LinkedIn<http://www.linkedin.com/pub/jose-luis-ayerdis-espinoza/28/7b4/704>|
Careers
StackOverflow <http://careers.stackoverflow.com/necronet>

Re: [flask] Flask login mechanisim to authenticate per token my calls

From:
Steven Kryskalla
Date:
2013-01-16 @ 15:47
On Wed, Jan 16, 2013 at 6:36 AM, Jose Ayerdis <joseayerdis@gmail.com> wrote:
> Nevertheless I have been trying to know if there is a way I can send a
> user_token to authorized a call. I looked at the documentstion and is very
> vague regarding this.

Flask doesn't have much in the way of authorization built in, you need
to build it yourself or use an extension. Or are you talking about
flask-login?

> Cookie base to store the auth token is there a way I can decide to send the
> token as part of the parameters, body or in the headers insteado having to
> get it from the cookie.
> I am not quite sure how to authenticate a call with auth token.

Your questions are a bit difficult to understand, but if you want to
validate a token for each request, and not use cookies, I would do it
in before_request, a view decorator [1], or as part of my form
validation (e.g. wtforms).

Here's a simple way to do it using before_request:

@app.before_request
def authorize_request():
    if request.values.get('auth_key') != AUTH_KEY:
        abort(401)

You could also check an HTTP header:

@app.before_request
def authorize_request():
    if request.headers.get('Auth-Key') != AUTH_KEY:
        abort(401)

Doing it with a view decorator would look very similar.

If you do it as part of your form validation, you just validate it
like any other field. In wtforms (probably other form libraries too)
you can create a form that has this validation set up, then make all
your forms inherit from that to get the validation behavior on all
your forms.

[1]: http://flask.pocoo.org/docs/patterns/viewdecorators/

Re: [flask] Flask login mechanisim to authenticate per token my calls

From:
Jose Ayerdis
Date:
2013-01-16 @ 16:11
Sorry I meant authentication instead of validation, I wanted to do it with
flask-login because it already comes with the alternative of doing it with
cookies, and it seems that has a get_auth_token from the user object. But
seems that it does not allowed that behaviour.

I think that I could modify flask-login extension to do what I want which
is basicly what you suggest in the before_request

Thanks....

Sincerly yours,

[Jose Luis Ayerdis Espinoza]
Necronet.info |
LinkedIn<http://www.linkedin.com/pub/jose-luis-ayerdis-espinoza/28/7b4/704>|
Careers
StackOverflow <http://careers.stackoverflow.com/necronet>


2013/1/16 Steven Kryskalla <skryskalla@gmail.com>

> On Wed, Jan 16, 2013 at 6:36 AM, Jose Ayerdis <joseayerdis@gmail.com>
> wrote:
> > Nevertheless I have been trying to know if there is a way I can send a
> > user_token to authorized a call. I looked at the documentstion and is
> very
> > vague regarding this.
>
> Flask doesn't have much in the way of authorization built in, you need
> to build it yourself or use an extension. Or are you talking about
> flask-login?
>
> > Cookie base to store the auth token is there a way I can decide to send
> the
> > token as part of the parameters, body or in the headers insteado having
> to
> > get it from the cookie.
> > I am not quite sure how to authenticate a call with auth token.
>
> Your questions are a bit difficult to understand, but if you want to
> validate a token for each request, and not use cookies, I would do it
> in before_request, a view decorator [1], or as part of my form
> validation (e.g. wtforms).
>
> Here's a simple way to do it using before_request:
>
> @app.before_request
> def authorize_request():
>     if request.values.get('auth_key') != AUTH_KEY:
>         abort(401)
>
> You could also check an HTTP header:
>
> @app.before_request
> def authorize_request():
>     if request.headers.get('Auth-Key') != AUTH_KEY:
>         abort(401)
>
> Doing it with a view decorator would look very similar.
>
> If you do it as part of your form validation, you just validate it
> like any other field. In wtforms (probably other form libraries too)
> you can create a form that has this validation set up, then make all
> your forms inherit from that to get the validation behavior on all
> your forms.
>
> [1]: http://flask.pocoo.org/docs/patterns/viewdecorators/
>