7

Hi I was looking at flask-login at handles the session login nicely, this work good for templating and views where I have access to the session.

Nevertheless I have been trying to know if there is a way I can send a user_token to authorized a call. I looked at the documentstion and is very vague regarding this. It said that I should

  • Implement get_auth_token in my User object.
  • Decorte a @user_loader function that can load the user token base.

I have though seen the following (please correct me If I am wrong)

  • Cookie base to store the auth token is there a way I can decide to send the token as part of the parameters, body or in the headers insteado having to get it from the cookie.
  • I am not quite sure how to authenticate a call with auth token.
Necronet
  • 6,704
  • 9
  • 49
  • 89
  • Same issue here, let me know what you came up with. We’re about to fork Flask-Login. – Jökull Jan 22 '13 at 16:08
  • That would be great I was thinking the same cause I ended up not using OAuth to be a provider too much hassle to something as simple as I need it there was a thread about it http://librelist.com/browser//flask/2013/1/16/flask-login-mechanisim-to-authenticate-per-token-my-calls/ – Necronet Jan 22 '13 at 17:16

3 Answers3

9

I got a Way better approach that fits better my needs. Basically I extends LoginManager pretty easy and straighfoward if you take a look at the source of flask-plugin you come to realize that there is a call that is made @before_request there is a method called reload_user, this is the what I end up doing 

class CustomLoginManager(LoginManager):
    def reload_user(self):
        if request.headers.has_key('Authorization'):
            ctx = _request_ctx_stack.top
            ctx.user = User.get(token=request.headers['Authorization'])
            return
        super(CustomLoginManager,self).reload_user()

If in my header I pass an authorization key then I will try to load using this key instead of session based approach, of course I am going to need to add more security layer to this approach proably by signing the key but overall this was what I needed.

Thanks all.

BTW you can override a bunch of others method and I highly recomend to take a look at the plugin source, so you can understand more deeply what it does 644 lines of codes worth reading

https://github.com/maxcountryman/flask-login/blob/master/flask_login.py

Necronet
  • 6,704
  • 9
  • 49
  • 89
  • 1
    This is exactly what I needed. It lets me create a mobile API client that only deals with API calls using an X-Auth-Token header, while my regular web client can call the API using the regular auth session. Nice! – David Grandinetti May 01 '13 at 16:58
  • Don't know if this code is given before reload_user() function was given an extra parameter 'user'. To get this working today, please add: def reload_user(self, user=None): .... super(...).reload_user(user) – chfw Jan 29 '14 at 14:57
5

It seems like you're wanting something like OAuth instead of using Flask-Login. In case you don't know (quoted from Wikipedia), OAuth is a protocol that utilizes tokens in order to access resources on behalf of a resource owner. Think giving a user the ability to give out a valet key to certain portions of your site. Many sites, such as Google, Facebook, and Twitter use OAuth for authenticating third party clients in order to access certain user resources.

Right now, there's a split between the less flexible and less complex OAuth 1.0a and the more flexible but more complex OAuth 2.0. Many libraries exist for OAuth 1.0a in Python, but fewer for OAuth 2.0. However, there is a selection of those for OAuth 2.0 if stability isn't a top concern right now.

For the client, Flask-OAuth is available if you're going with OAuth 1.0a, and it is maintained by Armin, the Flask creator itself, so you can feel assured that it won't die. For the provider, there's an extension called Flask-OAuthProvider with OAuth 1.0a support. If you don't mind integrating it yourself and want 2.0 support, pyoauth2 provides you with both a client and a provider, though it looks less maintained.

Hopefully this helps you with exploring one possible avenue to utilize auth tokens, albeit without using Flask-Login. In my opinion, one shouldn't re-implement a protocol unless they understand it, so I recommend reading up about OAuth even if you decide not to use it. Many great articles exist on it, such as this article from Google and this one, too.

Smartboy
  • 672
  • 1
  • 8
  • 18
1

Just as an update, Flask-Login now has a 'header_loader' function, which can be used in conjunction with the standard 'user_loader'. Taken directly from the docs: 


@login_manager.header_loader
def load_user_from_header(header_val):
    if header_val.startswith('Basic '):
        header_val = header_val.replace('Basic ', '', 1)
    try:
        header_val = base64.b64decode(header_val)
    except TypeError:
        pass
    return User.query.filter_by(api_key=header_val).first()

Here's the link to the section in the Flask-Login docs

reptilicus
  • 10,290
  • 6
  • 55
  • 79