Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Securing RESTapi in flask

The app I'm deving uses a lot of ajax calls. Unfortunately I hit a snag when researching on how to restrict access to the api. For example:

  • i have table that does an ajax call to http://site/api/tasks/bob
    i need to make sure that only bob, logged in, can read that table (otherwise somebody who knows the pattern might request to see bob's tasks by simply entering the url in the browser).
  • on a different page,the same table needs to be able to call http://site/api/tasks/all and show the tasks of all users (only an admin should be able to do that)

Thank you for your time reading this and maybe answering it.

like image 253
pocorschi Avatar asked Aug 08 '11 21:08

pocorschi


People also ask

How do you secure a REST API Flask?

Integrate the Security Library The code for a working OAuth secured Python Flask API is provided below: The OAuth filter is configured to run before API requests. The filter verifies the token signature and the expected issuer / audience claims. API routes can then access JWT claims in the request object.

How can I secure my REST API?

Use HTTPS/TLS for REST APIs As one of the most critical practices, every API should implement HTTPS for integrity, confidentiality, and authenticity. In addition, security teams should consider using mutually authenticated client-side certificates that provide extra protection for sensitive data and services.

Is Flask GOOD FOR REST API?

However, as it is a newer framework, many more resources and libraries are compatible with frameworks like Django and Flask but not with FastAPI. Being lightweight, easy to adopt, well-documented, and popular, Flask is a good option for developing RESTful APIs.


1 Answers

The thousand-foot view is you need to authenticate the user either with:

A) HTTP-Auth (either basic or digest) on each request.

B) Server-side sessions. (The user authenticates and receives a session key - their user information is stored in the session backend on the server, attached to that key Once they have a session they can make requests passing their session key back to you (either in the URL or in a cookie) and the information they have access to is returned to them.)

Flask has a pair of useful extensions that deal with a large part of this sort of thing - check out Flask-Login and Flask-Principal to see examples of how authorization can be added to a Flask application.

like image 83
Sean Vieira Avatar answered Nov 10 '22 09:11

Sean Vieira