python - Can Flask deal with sessions when using curl to send request?

Question

I'm trying to build a set of APIs for my iOS mobile app.

I use Flask-RESTful' to build RESTful type of interfaces andFlask-login` to help me handle user login issues.

However, I find that, when I use curl to login, the server does return success message while I then send a request to get a 'protected' page which only users logged in can see and get

{ "message": "The server could not verify that you are authorized to access the URL requested. You either supplied the wrong credentials (e.g. a bad password), or your browser doesn't understand how to supply the credentials required." }

If curl doesn't send some 'user credentials', does that mean when my iOS app send requests, the backend still can't recognize the user?

I don't quite understand how Flask deal with 'session' and I'm new to web development. Is there any solution?

Here is my code:

api.py

# -*- coding: utf-8 -*-

import flask_login, json
from flask import request
from flask_restful import Resource, reqparse
from models import users, User

parser = reqparse.RequestParser()


def request_parser():
    parser.add_argument('data', action='append')
    return parser.parse_args()['data'][0]


class Login(Resource):
    def get(self):
        return

    def post(self):
        # data = request_parser()
        data = request.json['data']
        email = data['email']
        test = users[email]
        if data['pw'] == users[email]['pw']:
            user = User()
            user.id = email
            flask_login.login_user(user)
            return 'login success'

        return 'Bad login'



class Protected(Resource):
    @flask_login.login_required
    def get(self):
        return 'Logged in as: ' + flask_login.current_user.id

models.py

# -*- coding: utf-8 -*-
import flask_login
from app import login_manager


users = {'foo@bar.tld': {'pw': 'secret'}}


class User(flask_login.UserMixin):
    pass


@login_manager.user_loader
def user_loader(email):
    if email not in users:
        return

    user = User()
    user.id = email
    return user


@login_manager.request_loader
def request_loader(request):
    email = request.form.get('email')
    if email not in users:
        return

    user = User()
    user.id = email

    user.is_authenticated = request.form['pw'] == users[email]['pw']

    return user

__init__.py

# -*- coding: utf-8 -*-

from flask import Flask
from flask_restful import Resource, Api
from flask_sqlalchemy import SQLAlchemy

import flask_login
import config

app = Flask(__name__)
app.config.from_object("config")
app.secret_key = 'yangjinglei'

api = Api(app)

login_manager = flask_login.LoginManager()
login_manager.init_app(app)

db = SQLAlchemy(app, use_native_unicode="utf8")

run.py

# -*- coding: utf-8 -*-

from app import app, api
from app.api import *


api.add_resource(Login, '/login')
api.add_resource(Protected, '/protected')

if __name__ == '__main__':
    app.run(debug=True)

score 2 · Answer 1 · edited May 23 '17 at 11:46

By default Flask manages session with cookies. Citing the Sessions documentation:

This is implemented on top of cookies for you and signs the cookies cryptographically. What this means is that the user could look at the contents of your cookie but not modify it, unless they know the secret key used for signing.

You can manage cookies from curl cli. Refer to this answer

To write to a cookie file and start engine and to use cookie you can use : curl -c /path/to/cookiefile http://yourhost/

to read cookies from and start the cookie engine, or if it isn't a file it will pass on the given string. curl -b /path/to/cookiefile http//yourhost/

Another pattern that can be followed is server side sessions.

python - Can Flask deal with sessions when using curl to send request?

1 Answers1