Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Securing RESTapi in flask

Tags:

python

rest

flask

restful-authentication

The app I'm deving uses a lot of ajax calls. Unfortunately I hit a snag when researching on how to restrict access to the api. For example:

  • i have table that does an ajax call to http://site/api/tasks/bob
    i need to make sure that only bob, logged in, can read that table (otherwise somebody who knows the pattern might request to see bob's tasks by simply entering the url in the browser).
  • on a different page,the same table needs to be able to call http://site/api/tasks/all and show the tasks of all users (only an admin should be able to do that)

Thank you for your time reading this and maybe answering it.

like image 253
pocorschi Avatar asked Aug 08 '11 21:08

pocorschi

People also ask

How do you secure a REST API Flask?

Integrate the Security Library The code for a working OAuth secured Python Flask API is provided below: The OAuth filter is configured to run before API requests. The filter verifies the token signature and the expected issuer / audience claims. API routes can then access JWT claims in the request object.

How can I secure my REST API?

Use HTTPS/TLS for REST APIs As one of the most critical practices, every API should implement HTTPS for integrity, confidentiality, and authenticity. In addition, security teams should consider using mutually authenticated client-side certificates that provide extra protection for sensitive data and services.

Is Flask GOOD FOR REST API?

However, as it is a newer framework, many more resources and libraries are compatible with frameworks like Django and Flask but not with FastAPI. Being lightweight, easy to adopt, well-documented, and popular, Flask is a good option for developing RESTful APIs.

1 Answers

The thousand-foot view is you need to authenticate the user either with:

A) HTTP-Auth (either basic or digest) on each request.

B) Server-side sessions. (The user authenticates and receives a session key - their user information is stored in the session backend on the server, attached to that key Once they have a session they can make requests passing their session key back to you (either in the URL or in a cookie) and the information they have access to is returned to them.)

Flask has a pair of useful extensions that deal with a large part of this sort of thing - check out Flask-Login and Flask-Principal to see examples of how authorization can be added to a Flask application.

like image 83
Sean Vieira Avatar answered Nov 10 '22 09:11

Sean Vieira
Sign in to Comment

Related questions

C-extension in Python - return Py_BuildValue() memory leak problem
Call a function in Python and pass only the arguments it expects
Selecting Null in SQLAlchemy
Putting other widgets in gtk.Menu
How to specify something other than pk or slug for DetailView
Matplotlib quiver scale
Python - good practice to catch errors
Python terminal emulation
write CSV columns out in a different order in Python
Efficiently generate a lattice of points in python
Custom placeholder like None in python
Django - how to set blank = False, required = False
Superclass of bytes and bytearray?
Opening the Excel application from Python
How do I install a DMG file from the command line?
How to get the offending line when using IronPython with C#/.NET as host, on a runtime error?
Running a .py file in browser
Conditionally show and hide a form field and set the field value
Yahoo BOSS V2 authorization troubles
for loops in python

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!