63

I have an application that will use flask and mongodb; I will probably host it on rackspace.

I need to understand how flask authenticating works. I have not found much information on the subject. Is there a complete tutorial on how to roll your own solution? If not, I certainly would like to hear some thoughts on how you would approach it for a a flask app.

Big PS:

I just thought about it. I also need to open a real API. A part of that API will be used for AJAX on the front end. How do i secure that part of the app?

Can anyone explain API auth requests?

David Segonds
  • 83,345
  • 10
  • 45
  • 66
pocorschi
  • 3,605
  • 5
  • 26
  • 35

3 Answers3

68

I would suggest using the flask-login extension, it makes session management really easy to add to your flask application, and provides a nice documentation which covers in details every aspect of the extension.

David
  • 9,635
  • 5
  • 62
  • 68
mdeous
  • 17,513
  • 7
  • 56
  • 60
  • Is that a proven extension? Have u used it in production? How secure is it? – pocorschi Aug 07 '11 at 19:25
  • 1
    i've only used it in 1 application, and it looked to do its job right. However, if you're really worried by security, you may want to review its code (or the code of whatever library you'd use for this) by yourself anyway. – mdeous Aug 07 '11 at 20:46
  • 1
    Its pretty secure, IMHO. Uses MD5, you can change it to SHA2 if you're worried about collisions. – Dhaivat Pandya Aug 10 '11 at 09:31
  • 19
    While I have no reason to believe flask-login is insecure, I'd like to pipe in here and mention that flaunting this or that hash algorithm as a bar for security is very misleading. `security != algorithm` and `security != bit-length`! – Yaniv Aknin Dec 24 '12 at 12:00
  • 3
    @DhaivatPandya flask-login doesn't use any algorithm at all, because it is up to the programmer to validate — and store — the credentials. – dom0 Sep 02 '13 at 10:59
16

I don't think that flask has any authentication built-in, only support for tracking sessions.

Here are some snippets for basic HTTP authentication and authentication with some third-party providers. Otherwise you will need to roll your own or use a framework that has this baked in (like Django)

Here is a discussion thread on this topic with a useful link

rupello
  • 8,361
  • 2
  • 37
  • 34
  • Thanks rupello. That's indeed what i'm looking for. A step by step on how to roll. My own . As far as i understand flask can keep track of sessions so i need to decorate the restricted functions in a checker of some sort. But what about the ajax part? And also .. A paper would help me not screw things by makingthe wrong choices – pocorschi Aug 07 '11 at 13:57
6

Flask-Login doesn't, technically, do authentication - it does session management, leaving the (tricky to securely implement) authentication details to you. Something like Flask-Security actually implements both session management and authentication (also nice-to-haves like password recovery/reset and the like), at the cost of having to have explicit support for your database.

pjz
  • 41,842
  • 6
  • 48
  • 60