CODEWITHSUNDEEP
pythonherokuflaskpython-requestsflask-login
sammyyy
sammyyy

Reputation: 343

Authentication for simple flask app on hosted on Heroku

I am trying create a simple web app for corporate use. Instead of creating a separate authentication method, I use the Requests library to send credential input to a html form to my company website and check whether the requests status code is 200.

Question 1: Is this a method safe comparing to establishing a separate authentication such as Flask-Login? As I know from some reading that the common practice is to take the hash of the password and compare it to the hash of the existing entry in the database.

Thank you in advance.

from flask import Flask, make_response, request, render_template, url_for
from flask_bootstrap import Bootstrap
import requests
from requests.auth import HTTPBasicAuth

app = Flask(__name__)
bootstrap = Bootstrap(app)    

@app.route('/', methods=["GET", "POST"])
    def login():
      if request.method == 'GET':
        return render_template('log.html')
      elif request.method == 'POST':
        username = request.form['username']
        password = request.form['password']
        r = requests.get('MY COMPANY WEBSITE', auth=HTTPBasicAuth(username, password))
        if r.status_code == '200':
          return redirect(url_for('index'))
        elif r.status_code != '200':
          print(r)
          return render_template('login_fail.html', username=username,password=password)

Upvotes: 0

Views: 887

Answers (1)

galeej
galeej

Reputation: 563

I'm afraid this is a very bad way to authenticate users.

This method does not have any security and opens up a lot of vulnerability into the system.

Also, you'll have to write this logic for each and every request, making it cumbersome and slowing the whole thing down (even though it's not by much).

There are a couple of methods that you could use: 1. Create an auth token using an algorithm and keep passing that on a request-request basis. The underlying premise here is that the auth token is like a key and it is upto the front end to ensure that the key is kept in a safe place. Auth tokens are the best case when you are writing services that third parties can use and need API level access 2. Use Flask-login and use the userloader function of flask to authenticate a user when they login. Remember to hash the passwords on your server. This increases the security profile of your servers 3. Use requestloader in flask-login. This is similar to (1) and you dont have to do a lot of heavy lifting

Hope this helps

Upvotes: 1

Related Questions