3

I am trying to come up with a nice way of allowing a "non-interactive" authentication for access to certain views in my Flask webapp, which currently makes use of flask-login.

At the moment, users authenticate using a web form. Credentials are then checked, and if there's a match, I call flask_login.login_user(user), where user is the user object associated with the provided username and password. I then decorate any view that requires an authenticated user with the @flask_login.login_required decorator. This works well.

I now have the need to allow access to some specific pages using a headless browser, for PDF generation. What is the best approach for accomplishing this? I'm thinking either HTTP Digest Auth or token-based (supplied through the view through a GET parameter, perhaps?), but am not sure of the best way of going about this, and how it will fit in with flask-login.

Ultimately, I'll need to call flask_login.login_user(user) (where user is the system user associated with the provided token/digest credentials) somehow, but bypassing the normal redirect back to the login page in cases where alternative credentials have been supplied. Should I be writing a new decorator (like @token_required), or is there a better way of accomplishing this?

Joseph Redfern
  • 939
  • 1
  • 6
  • 13
  • 2
    Yes you will need token based authtication. Not as a GET parameter, as a HTTP Header; on the same Authorization Header. There are tons of online material and implemetations for this that you can use that have already implemented the @token_required you are talking about. https://stackoverflow.com/questions/32510290/how-do-you-implement-token-authentication-in-flask – Vasif Aug 22 '17 at 23:20
  • 1
    more; https://blog.miguelgrinberg.com/post/restful-authentication-with-flask, https://www.reddit.com/r/flask/comments/5pwbr6/tokenbased_authentication_with_flask/, https://realpython.com/blog/python/token-based-authentication-with-flask/, https://stackoverflow.com/questions/32925893/token-based-authentication-in-flask – Vasif Aug 22 '17 at 23:21
  • How do you plan to keep session at the headless client? Does it support cookies? – geckos Aug 22 '17 at 23:22
  • He can use JWT when it comes to tokens. – Vasif Aug 22 '17 at 23:26
  • @Vasif Thanks for the links. HTTP Header auth is one option, and if I was writing an API then it's certainly the route I'd take. However, I'd would be useful to be able to share a URL to this page too (to users), and not all headless browsers seem to (easily) support custom headers, so I'd like to avoid that route if possible. – Joseph Redfern Aug 22 '17 at 23:28
  • @geckos I don't think I'll need to keep session... but I'd not given it that much thought to be honest. I should have support for cookies and sessions if need be, though. – Joseph Redfern Aug 22 '17 at 23:29
  • If you don't need session you don't need a decorator... If you're going to stateful I vote for JWT – geckos Aug 22 '17 at 23:36
  • But, Authorization header is standardized HTTP/1.1 header. Been here since 1999. And, most HTTP clients support it. You won't need sessions. But, if you still like to implement your own `@token_required` decorator, you will still find that SO link helpful. Also, some reads about python decorators come handy. edit: RFC for http/1.1 https://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.8 – Vasif Aug 22 '17 at 23:43

0 Answers0