librelist archives

« back to archive

Flask Digest Authentication

Flask Digest Authentication

From:
Harit Himanshu
Date:
2013-04-04 @ 16:41
Hi

- I am developing a project in `Python` using `Flask` which will have
endpoints as

>     @app.route(/transaction)
>     def get(request):
>       ...
>
>     @app.route(/transaction)
>     def post(request):
>       ...

- Also, I would want that the REST endpoints are authenticated before they
method executes
- I searched a lot about this and found that [Digest Authentication][1] is
what I might need(I am not sure till now)

**Question**

- How can I implement such a security pattern using python and flask? any
examples available that I can see and learn from it?
- I would like not to pass passwords in plaintext and using tokens is a
much better idea, so does considering HTTP digest authentication is a right
choice?
- anything else that you people may want to recommend?

I want my server to be **stateless** and not store any session on server
side

Thank you
+ Harit Himanshu

  [1]: http://en.wikipedia.org/wiki/Digest_access_authentication

Re: [flask] Flask Digest Authentication

From:
Steven Kryskalla
Date:
2013-04-04 @ 17:07
On Thu, Apr 4, 2013 at 9:41 AM, Harit Himanshu
<harit.subscriptions@gmail.com> wrote:
> - How can I implement such a security pattern using python and flask? any
> examples available that I can see and learn from it?

There are two examples here for HTTP auth:

http://flask.pocoo.org/snippets/category/authentication/

I have also used the "barrel" library to do the same thing, it
provides a WSGI middleware for HTTP auth:

http://lukearno.com/projects/barrel/

Also, if you're running a web server in front of your app (like nginx
or apache) you can configure the authentication there as well.

> - I would like not to pass passwords in plaintext and using tokens is a much
> better idea, so does considering HTTP digest authentication is a right
> choice?
> - anything else that you people may want to recommend?
>
> I want my server to be **stateless** and not store any session on server
> side

Are you going to be using SSL? HTTP digest auth is barely a step above
sending plaintext passwords if the the traffic is unencrypted.

If all you care about is that a client is required to know a shared
secret to access your app you could require them to send the secret
with every request (e.g. in an HTTP header or form parameter) or to
sign each request (e.g. using the secret & HMAC).

Re: [flask] Flask Digest Authentication

From:
Harit Himanshu
Date:
2013-04-24 @ 23:11
Thanks!


On Thu, Apr 4, 2013 at 10:07 AM, Steven Kryskalla <skryskalla@gmail.com>wrote:

> On Thu, Apr 4, 2013 at 9:41 AM, Harit Himanshu
> <harit.subscriptions@gmail.com> wrote:
> > - How can I implement such a security pattern using python and flask? any
> > examples available that I can see and learn from it?
>
> There are two examples here for HTTP auth:
>
> http://flask.pocoo.org/snippets/category/authentication/
>
> I have also used the "barrel" library to do the same thing, it
> provides a WSGI middleware for HTTP auth:
>
> http://lukearno.com/projects/barrel/
>
> Also, if you're running a web server in front of your app (like nginx
> or apache) you can configure the authentication there as well.
>
> > - I would like not to pass passwords in plaintext and using tokens is a
> much
> > better idea, so does considering HTTP digest authentication is a right
> > choice?
> > - anything else that you people may want to recommend?
> >
> > I want my server to be **stateless** and not store any session on server
> > side
>
> Are you going to be using SSL? HTTP digest auth is barely a step above
> sending plaintext passwords if the the traffic is unencrypted.
>
> If all you care about is that a client is required to know a shared
> secret to access your app you could require them to send the secret
> with every request (e.g. in an HTTP header or form parameter) or to
> sign each request (e.g. using the secret & HMAC).
>