I apologize in advance for asking a rather cryptic question. However, I did not understand it despite going through a lot of material. It would be great if you could shed some light on this.
What is the purpose of a request_loader in flask-login? How does it interact with the user_loader decorator?
If I am using a token based authentication system (I am planning on sending the token to my angularJS front end, storing the token there and sending that token in the authorization-token header), will I need a request_loader or will a user_loader (where I check the auth header and see if the user exists) suffice?
When you want to check whether the user has logged in manually rather than use the Flask-login API, then check the value of session['logged_in'] .
Flask-Security is now deprecated, so I wouldn't recommend using it in production.
Let you restrict views to logged-in (or logged-out) users. ( login_required ) Handle the normally-tricky “remember me” functionality. Help protect your users' sessions from being stolen by cookie thieves.
To verify users with Flask-Login's session_id for frontend requests through Angular, you must set the withCredentials
configuration flag to true
.
That is, if you are using Angular's $http.post(url,data [,config])
or $http.get(url [,config])
, make sure the config
object contains the property withCredentials
set to true. This will instruct the browser to use its cookies in the same way it would for a full-on page visit.
For example,
$http.post('/api/login',{username:'myusername',password:'mypassword'},{withCredentials:true})
will post
the data {username:'myusername',password:'mypassword'}
to your site/app's /api/login
route and, if you're using Flask-Login and are logged in, Flask will know.
You can set this behavior for all $http
service requests by setting
$httpProvider.defaults.withCredentials=true
somewhere in your app. Currently, I have that line of code in my app.config
block, which seems appropriate to me:
var myApp = angular.module('myApp');
myApp.config(function ($httpProvider) {
$httpProvider.defaults.withCredentials = true;
});
(Since this post is about Flask, folks may want to send form data through Angular in such a way that it can be found in request.form
, which has a similar solution, fyi.)
From the Flask-Login documentation:
Sometimes you want to login users without using cookies, such as using header values or an api key passed as a query argument. In these cases, you should use the request_loader callback. This callback should behave the same as your user_loader callback, except that it accepts the Flask request instead of a user_id.
So, to answer your question, they both serve the same function for Flask-Login. They are both used to load the user. request_loader
, however, is appropriate for custom logins.
Here's a great tutorial I found that utilizes request_loader
to take advantage of token based authentication (The post is not my own, I'm merely sharing the link): http://gouthamanbalaraman.com/blog/minimal-flask-login-example.html
I need to make this clear.
This is the reason why you shoud use request_loader
with flask_login.
There will be a lot of @login_required
from flask_login used in your api to guard the request access.
You need to make a request to pass the check of auth.
And there will be a lot of current_user
imported from flask_login,
Your app need to use them to let the request act as the identity of the current_user
.
There are two ways to achieve the above with flask_login.
Using user_loader
makes the request to be OK for @login_required
.
It is often used for UI logins from browser.
It will store session cookies to the browser and use them to auth later.
So you need to login only once and the session will keep for a time.
Using request_loader
will also be OK with @login_required
.
But it is often used with api_key or basic auth.
For example used by other apps to interact with your flask app.
There will be no session cookies,
so you need to provide the auth info every time you send request.
With both user_loader
and request_loader
,
now you got 2 ways of auth for the same api,
protected by @login_required
,
and with current_user
usable,
which is really smart.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With