How to validate URL parameters in Flask

Question

This is my first application using Flask and Python.

I am using below URL format to send a POST request from Arduino to the flask application running on Pythonanywhere server instance.

Valid POST request: 3 URL parameters http://voyagers.pythonanywhere.com/senddata?node=1234&lat=18.5580&lng=73.8075

I need to block the request from further processing by validating the URL in some form. I want this to secure my app from un-authenticated POST requests.

Say something like this:Anything more than 3 URL Parameters http://voyagers.pythonanywhere.com/senddata?node=324&lat=18.5580&lng=73.8075&a=c&a=d

How can I achieve this in Flask ?

Also suggest , If there is any better way which could be used to secure application from un-authorised requests.

Answer 1

You can get flask to validate the parameters and throw an error automatically if you are willing to switch from URL parameters (i.e. anything after the '?' symbol in the URL) to path parameters (i.e. anything that is in the Path HTTP header, or the part of the URL after the first '/' and abefore the '?').

Your example could look like this:

@app.route('/post/<int:node_id>/<float:lat>/<float:lng>', methods=['POST'])
def process_post_request(node_id, lat, lng):
    # do some work
    return your_result

Then you could send request to URL that would look for example like this: http://example.com/post/1234/-11.45/21.34

You can find more about this here: http://flask.pocoo.org/docs/0.12/quickstart/#variable-rules

For securing access you can use some of the example snippets here: http://flask.pocoo.org/snippets/category/authentication/

I would recommend restricting access to HTTPS only and using the basic auth if you are just playing around. This is something you can do with a simple decorator as described here: http://flask.pocoo.org/snippets/8/

You will get a prompt in your browser asking you for username and password and browser will remember it for the duration of the session. Alternatively, you can set the username and password in base64 encoded form in the Authorization header: https://en.wikipedia.org/wiki/Basic_access_authentication