0

I have a url http://localhost:8000/savings?sv=30

In Flask I retrieve the value using Jinja templates to display the value of sv on the screen:

{% set sv = request.args.get('sv', '') %}

<p>{{ sv }}</p>

Is it possible to prevent a user from editing the url to display a different value?

koopmac
  • 936
  • 10
  • 27
  • Short answer: no. HTTP clients are free to send whatever they want in the url. Now if you explained your _real_ use case ([xy problem](http://xyproblem.info/) anyone ?), then perhaps someone could pint you to the proper solution ;-) – bruno desthuilliers Apr 23 '20 at 08:58

1 Answers1

-1

For anyone else wondering I have decided to use encode/decode to obscure the value of sv from users.

I have taken Martijn Pieter's advice to obscure the value as opposed to encrypting the value: Simple way to encode a string according to a password?

import zlib
from base64 import urlsafe_b64encode as b64e, urlsafe_b64decode as b64d

def obscure(data: bytes) -> bytes:
    return b64e(zlib.compress(data, 9))

def unobscure(obscured: bytes) -> bytes:
    return zlib.decompress(b64d(obscured))

where this link is sent to a user:

        link = 'https://localhost:8000/savings?sv=' + bytes.decode(obscure(str.encode(amount)))

Which is then decoded when they click the link:

@onboard.route('/savings', methods=['GET', 'POST'])
def savings():
    savings = request.args.get('sv')
    savings = str.encode(savings)
    savings = unobscure(savings)
    savings = bytes.decode(savings)
    return render_template('onboard/savings.html', savings=savings)
koopmac
  • 936
  • 10
  • 27