Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How to return 401 authentication from flask API?

Tags:

flask

python-2.7

basic-authentication

www-authenticate

I have developed an API in flask which is using HttpBasicAuth to authenticate users. API is working absolutely fine in fiddler and returning 401 when we pass wrong credential but when I am using the same on login page I am getting extra pop up from browser. I really don't want to see this extra pop-up which is asking for credential (default behaviour of browser when returning

401

with

WWW-Authenticate: Basic realm="Authentication Required"

).

It is working fine when deployed locally but not working when hosted on remote server.

How can we implement 401 which will not let browser to display popup asking for credentials.

like image 666
Mukesh Avatar asked Dec 19 '22 01:12

Mukesh

2 Answers

So, flask return statements are actually processed again before sending the data off to the client. You can actually send a tuple of two elements as a return statement. The second element is the status (https://en.wikipedia.org/wiki/List_of_HTTP_status_codes) If you are using the auth library, you can change this:

@auth.error_handler
def unauthorized():
    response = jsonify({'message':'Failed'})
    return response

To this:

@auth.error_handler
def unauthorized():
    response = jsonify({'message':'A winner is you'})
    return response, 404

If you don't want the popup message, change 401 to anything else.

like image 144
Quentin Mayo Avatar answered Dec 21 '22 15:12

Quentin Mayo

This is a common problem when working with REST APIs and browser clients. Unfortunately there is no clean way to prevent the browser from displaying the popup. But there are tricks that you can do:

  • You can return a non-401 status code. For example, return 403. Technically it is wrong, but if you have control of the client-side API, you can make it work. The browser will only display the login dialog when it gets a 401.

  • Another maybe a bit cleaner trick is to leave the 401 in the response, but not include the WWW-Authenticate header in your response. This will also stop the login dialog from appearing.

  • And yet another (that I haven't tried myself, but have seen mentioned elsewhere) is to leave the 401 and the WWW-Authenticate, but change the auth method from Basic to something else that is unknown to the browser (i.e. not Basic and not Digest). For example, make it CustomBasic.

like image 35
Miguel Avatar answered Dec 21 '22 13:12

Miguel
Sign in to Comment

Related questions

how to compare two files and print mismatched line number in python?
Python for loop with or?
Python 2.7 str(055) returns "45" instead of 055 [duplicate]
Python Windows `msvcrt.getch()` only detects every 3rd keypress?
Installing pip for Python 3.4 - Mac OS X
Python search by value
How can change the logo of Tkinter GUI screen
Remove duplicated lists in list of lists in Python
LookupError: Resource 'corpora/stopwords' not found
Why does simply importing a python module executes everything present in that module ? [duplicate]
Python: first element in a nested list
Change the priority of python sys.path
Python ImportError no module named statistics after downloading
Need Python 3.4 version of print() from __future__
How can split string in python and get result with delimiter?
Why request with ssl certification returns html?
After odoo installation, either CSS nor JS are found
Python trouble converting milliseconds to datetime and back
How to display messages while creating directories?
Best way to call Python class methods automatically upon instantiation

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!