Flask-HttpAuth and Flask-Login

Question

I am creating a small REST service. I am looking for different authentication methods. For sites I used the module Flask-Login. It seems the session authentication. The module Flask-HttpAuth provides the http and digest authentication methods. I am little bit confused. Do they complement each other? What is better to use for what is a reason?

Thank you.

Answer 1

For a REST service you do not need Flask-Login. Typically in web services you do not store client state (what Flask-Login does), instead you authenticate each and every request. Flask-HTTPAuth does this for you.

You would use both only if you have an application that has a web component and a REST API component. In that case Flask-Login will handle the web app routes, and Flask-HTTPAuth will handle the API routes.

Disclaimer: I'm the author of Flask-HTTPAuth.

Answer 2

You can setup Basic Auth for Flask in a very simple way, without further modules, using decorators.

Take a look at: http://flask.pocoo.org/snippets/8/.

With flask-restful, just add method_decorators = [required_auth] to the Resource class attributes.

You can extend the snippet above, to allow for example user retrieval from a database.

Note that in a REST architecture, requests are stateless: you don't use sessions, but send identification tokens along with every request (see http://broadcast.oreilly.com/2009/12/principles-for-standardized-rest-authentication.html).

Answer 3

Yes they complement each other.

You can also take a look at Flask-security, an all-in-one lib:

https://pythonhosted.org/Flask-Security/

• Session based authentication
• Role management
• Password encryption
• Basic HTTP authentication
• Token based authentication
• Token based account activation (optional)
• Token based password recovery / resetting (optional)
• User registration (optional)
• Login tracking (optional)
• JSON/Ajax Support