Reputation: 3665
Securing RESTapi in flask
The app I'm deving uses a lot of ajax calls. Unfortunately I hit a snag when researching on how to restrict access to the api. For example:
- i have table that does an ajax call to http://site/api/tasks/bob
i need to make sure that only bob, logged in, can read that table (otherwise somebody who knows the pattern might request to see bob's tasks by simply entering the url in the browser). - on a different page,the same table needs to be able to call http://site/api/tasks/all and show the tasks of all users (only an admin should be able to do that)
Thank you for your time reading this and maybe answering it.
Upvotes: 8
Views: 6148
Answers (1)
Reputation: 159905
The thousand-foot view is you need to authenticate the user either with:
A) HTTP-Auth (either basic or digest) on each request.
B) Server-side sessions. (The user authenticates and receives a session key - their user information is stored in the session backend on the server, attached to that key Once they have a session they can make requests passing their session key back to you (either in the URL or in a cookie) and the information they have access to is returned to them.)
Flask has a pair of useful extensions that deal with a large part of this sort of thing - check out Flask-Login and Flask-Principal to see examples of how authorization can be added to a Flask application.
Upvotes: 14
Related Questions
- How to secure a REST Api on flask
- Flask Restul Basic Authentication
- Securing Flask-Restful API with OAuth2
- Flask-restful basic Authentication
- how to use flask REST API authentication
- Integrating Flask Security and Flask Rest-JSONAPI
- Using flask-security as a part of an REST API
- Secure Python REST APIs
- Flask RESTful API and authenticating for a specific user
- Using Flask-Security to authenticate REST API