0

I've built out an API via Flask views, which users access using some endpoints at /api/v1/..... I'd like to authenticate users who make requests. What are ways to enforce authentication with my API? Is there a way to avoid building out a user model, and instead use Google or Github-based authentication?

Improve this question
1
  • 1
    I think Flask-OAuth or Flask-OAtuthlib will helpful. Commented Apr 6, 2017 at 14:18

1 Answer 1

Reset to default
2

I use flask-login which intercepts web requests with sessions and ones with a header. Requests from the web use Flask's session, requests from mobile apps send a header.

These methods return users for the given request. The API token is signed (tamperproofed) by itsdangerous, which powers Flask's cookies.

from itsdangerous import URLSafeSerializer, BadData
serializer = URLSafeSerializer(CONFIG['SECRET_KEY'])


def load_user_from_request(request):
    token = request.headers.get('API-TOKEN')
    if token:
        try:
            user_id = serializer.loads(token)["id"]
            user = User.query.filter(User.active == True, User.id == int(user_id)).first()
            if user:
                return user
        except BadData as e:
            pass
    return None


def load_user(id):
    user = User.query.filter(User.active == True, User.id == int(id)).first()
    if not user:
        return None
    return user

login_manager.user_loader(load_user)
login_manager.request_loader(load_user_from_request)

This endpoint takes in an authentication request, checks the username and password and issues a token. The itsdangerous serializer makes a tamperproof version of your object. The client submits the same as a header. As long as the app's secret key is safe, your servers can confirm that signed objects were issued by your servers.

@blueprint.route('/api_auth', methods=["post"])
def api_auth():
   ...check username and password
    return response({
        'API-TOKEN': serializer.dumps({'id': user.id})
    })
Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

Thanks! It looks like you are using a local user model though -- I was wondering if anyone had implemented anything similar while using a 3rd-party authentication system.
There is no reason why the user "model" should be in some database. Flask-login could use an API for the action of logging in.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.