How to achieve Python REST authentication

Question

I am a newbie and I want to do the following

I have service endpoints like

@login_required
@app.route('/')
def home():
  pass

@login_required
@app.route('/add')
def add():
  pass

@login_required
@app.route('/save')
def save():
  pass

@login_required
@app.route('/delete')
def delete():
  pass

• I would like user to user to be authenticated while making these calls.
  Question
• How can I authenticate REST calls using python?
• How do I make sure that if call lands to execute any of the endpoints, they are authenticated?
• How do I basically do all authentication at the HTTP header level without saving any state so that it can scale better in future (Like Amazon S3), meaning any call might go to a different server and still be able to authenticate it self.

I am entirely new to REST world and don't really know how to achieve this.

Thank you

Answer 1

First, a question, are you authenticating a user, a client, or both?

For authenticating a client I like HTTP MAC Authentication for REST service authentication. Take a look at the Mozilla Services macauthlib and how it's used in their pyramid_macauth project. You should be able to learn from pyramid_macauth as an example in applying macauthlib to secure your services. A search to see if anyone else has tried this with Flask is a good idea, too.

For authenticating users and clients, perhaps take a look at OAuth 2.0 proper (HTTP MAC Auth is a related specification).

I had hoped to post more links, however, this is my first post and it seems I have to earn my way to more links in a response. :)

Answer 2

Security is not for noobs. Use a framework and rely on its implementation. Study the source code, read blogs and papers, and at some point you'll be able to architect your own system.

There are many things that may go wrong, and once you deploy a protocol you may not be able to come back without breaking existing clients.

That said, the usual way fot authenticating a request is by using a couple of tokens, usually called a public key and a private (secret) key. A variant is using the private key to generate a short lived session token. Another variant is using an API key specific per client. Anyway, this token is usually sent in a HTTP header (either a standard cookie or a custom one), but it's also possible to use the request body. Usually they are not appended to the URL because the secret may end in a log file. Also, you should pay attention to how and where store the secret key.

Depending on the channel (plain HTTP) you may want to use a HMAC to sign requests instead of sending secrets in the wild. You have to watch against replay attacks. Timing attacks are possible. Cryptographic collisions may be used to defeat your scheme. You may need tokens to avoid CSRF (this is not really needed if web browsers don't come into play, but you don't specify this)

Again, choose a framework and don't code anything by yourself. Broken software is usually ok to fix, but security holes can do real damages.

Answer 3

Looking at your API, it does not look like restful endpoints. The URI should represent a certain entity and not actions. For an instance if you are dealing with an entity such as user you could have yourdomain.com/user and perform various operations such as create, delete, update and fetch using HTTP verbs like POST, DELETE, PATCH and GET (Given that you use flask this can be achieved very easily).

In terms of security, I assume there are multiple schemes but the one which I have used is generating a session token given a key and secret via an initial authenticate call. I suggest you look for specialized online resources on generating key and secret pair as well as the session token.

In terms of scaling I guess your concern is that the sessions should not be specific to a given machine. The authentication data can be stored in a store separately from the HTTP front-ends. This way you can add additional webservers and scale your front-end or add additional data stores and scale either on a need basis.