Provided by: python-flask-httpauth-doc_3.2.4-3.1_all 
NAME
flask-httpauth - Flask-HTTPAuth Documentation
Flask-HTTPAuth is a simple extension that simplifies the use of HTTP authentication with
Flask routes.
BASIC AUTHENTICATION EXAMPLE
The following example application uses HTTP Basic authentication to protect route '/':
from flask import Flask
from flask_httpauth import HTTPBasicAuth
app = Flask(__name__)
auth = HTTPBasicAuth()
users = {
"john": "hello",
"susan": "bye"
}
@auth.get_password
def get_pw(username):
if username in users:
return users.get(username)
return None
@app.route('/')
@auth.login_required
def index():
return "Hello, %s!" % auth.username()
if __name__ == '__main__':
app.run()
The get_password callback needs to return the password associated with the username given
as argument. Flask-HTTPAuth will allow access only if get_password(username) == password.
If the passwords are stored hashed in the user database then an additional callback is
needed:
@auth.hash_password
def hash_pw(password):
return md5(password).hexdigest()
When the hash_password callback is provided access will be granted when
get_password(username) == hash_password(password).
If the hashing algorithm requires the username to be known then the callback can take two
arguments instead of one:
@auth.hash_password
def hash_pw(username, password):
salt = get_salt(username)
return hash(password, salt)
For the most degree of flexibility the get_password and hash_password callbacks can be
replaced with verify_password:
@auth.verify_password
def verify_pw(username, password):
return call_custom_verify_function(username, password)
In the examples directory you can find an example called basic_auth.py that shows how a
verify_password callback can be used to securely work with hashed passwords.
DIGEST AUTHENTICATION EXAMPLE
The following example is similar to the previous one, but HTTP Digest authentication is
used:
from flask import Flask
from flask_httpauth import HTTPDigestAuth
app = Flask(__name__)
app.config['SECRET_KEY'] = 'secret key here'
auth = HTTPDigestAuth()
users = {
"john": "hello",
"susan": "bye"
}
@auth.get_password
def get_pw(username):
if username in users:
return users.get(username)
return None
@app.route('/')
@auth.login_required
def index():
return "Hello, %s!" % auth.username()
if __name__ == '__main__':
app.run()
Security Concerns with Digest Authentication
The digest authentication algorithm requires a challenge to be sent to the client for use
in encrypting the password for transmission. This challenge needs to be used again when
the password is decoded at the server, so the challenge information needs to be stored so
that it can be recalled later.
By default, Flask-HTTPAuth stores the challenge data in the Flask session. To make the
authentication flow secure when using session storage, it is required that server-side
sessions are used instead of the default Flask cookie based sessions, as this ensures that
the challenge data is not at risk of being captured as it moves in a cookie between server
and client. The Flask-Session and Flask-KVSession extensions are both very good options to
implement server-side sessions.
As an alternative to using server-side sessions, an application can implement its own
generation and storage of challenge data. To do this, there are four callback functions
that the application needs to implement:
@auth.generate_nonce
def generate_nonce():
"""Return the nonce value to use for this client."""
pass
@auth.generate_opaque
def generate_opaque():
"""Return the opaque value to use for this client."""
pass
@auth.verify_nonce
def verify_nonce(nonce):
"""Verify that the nonce value sent by the client is correct."""
pass
@auth.verify_opaque
def verify_opaque(opaque):
"""Verify that the opaque value sent by the client is correct."""
pass
For information of what the nonce and opaque values are and how they are used in digest
authentication, consult RFC 2617.
TOKEN AUTHENTICATION SCHEME EXAMPLE
The following example application uses a custom HTTP authentication scheme to protect
route '/' with a token:
from flask import Flask, g
from flask_httpauth import HTTPTokenAuth
app = Flask(__name__)
auth = HTTPTokenAuth(scheme='Token')
tokens = {
"secret-token-1": "john",
"secret-token-2": "susan"
}
@auth.verify_token
def verify_token(token):
if token in tokens:
g.current_user = tokens[token]
return True
return False
@app.route('/')
@auth.login_required
def index():
return "Hello, %s!" % g.current_user
if __name__ == '__main__':
app.run()
The HTTPTokenAuth is a generic authentication handler that can be used with non-standard
authentication schemes, with the scheme name given as an argument in the constructor. In
the above example, the WWW-Authenticate header provided by the server will use Token as
scheme:
WWW-Authenticate: Token realm="Authentication Required"
The verify_token callback receives the authentication credentials provided by the client
on the Authorization header. This can be a simple token, or can contain multiple
arguments, which the function will have to parse and extract from the string.
In the examples directory you can find a complete example that uses JWT tokens.
USING MULTIPLE AUTHENTICATION SCHEMES
Applications sometimes need to support a combination of authentication methods. For
example, a web application could be authenticated by sending client id and secret over
basic authentication, while third party API clients use a JWT bearer token. The MultiAuth
class allows you to protect a route with more than one authentication object. To grant
access to the endpoint, one of the authentication methods must validate.
In the examples directory you can find a complete example that uses basic and token
authentication.
DEPLOYMENT CONSIDERATIONS
Be aware that some web servers do not pass the Authorization headers to the WSGI
application by default. For example, if you use Apache with mod_wsgi, you have to set
option WSGIPassAuthorization On as documented here.
API DOCUMENTATION
class flask_httpauth.HTTPBasicAuth
This class handles HTTP Basic authentication for Flask routes.
__init__(scheme=None, realm=None)
Create a basic authentication object.
If the optional scheme argument is provided, it will be used instead of the
standard "Basic" scheme in the WWW-Authenticate response. A fairly common
practice is to use a custom scheme to prevent browsers from prompting the
user to login.
The realm argument can be used to provide an application defined realm with
the WWW-Authenticate header.
get_password(password_callback)
This callback function will be called by the framework to obtain the
password for a given user. Example:
@auth.get_password
def get_password(username):
return db.get_user_password(username)
hash_password(hash_password_callback)
If defined, this callback function will be called by the framework to apply
a custom hashing algorithm to the password provided by the client. If this
callback isn't provided the password will be checked unchanged. The callback
can take one or two arguments. The one argument version receives the
password to hash, while the two argument version receives the username and
the password in that order. Example single argument callback:
@auth.hash_password
def hash_password(password):
return md5(password).hexdigest()
Example two argument callback:
@auth.hash_password
def hash_pw(username, password):
salt = get_salt(username)
return hash(password, salt)
verify_password(verify_password_callback)
If defined, this callback function will be called by the framework to verify
that the username and password combination provided by the client are valid.
The callback function takes two arguments, the username and the password and
must return True or False. Example usage:
@auth.verify_password
def verify_password(username, password):
user = User.query.filter_by(username).first()
if not user:
return False
return passlib.hash.sha256_crypt.verify(password, user.password_hash)
If this callback is defined, it is also invoked when the request does not
have the Authorization header with user credentials, and in this case both
the username and password arguments are set to empty strings. The client can
opt to return True and that will allow anonymous users access to the route.
The callback function can indicate that the user is anonymous by writing a
state variable to flask.g, which the route can then check to generate an
appropriate response.
Note that when a verify_password callback is provided the get_password and
hash_password callbacks are not used.
error_handler(error_callback)
If defined, this callback function will be called by the framework when it
is necessary to send an authentication error back to the client. The return
value from this function can be the body of the response as a string or it
can also be a response object created with make_response. If this callback
isn't provided a default error response is generated. Example:
@auth.error_handler
def auth_error():
return "<h1>Access Denied</h1>"
login_required(view_function_callback)
This callback function will be called when authentication is successful.
This will typically be a Flask view function. Example:
@app.route('/private')
@auth.login_required
def private_page():
return "Only for authorized people!"
username()
A view function that is protected with this class can access the logged
username through this method. Example:
@app.route('/')
@auth.login_required
def index():
return "Hello, %s!" % auth.username()
class flask_httpauth.HTTPDigestAuth
This class handles HTTP Digest authentication for Flask routes. The SECRET_KEY
configuration must be set in the Flask application to enable the session to work.
Flask by default stores user sessions in the client as secure cookies, so the
client must be able to handle cookies. To support clients that are not web browsers
or that cannot handle cookies a session interface that writes sessions in the
server must be used.
__init__(self, scheme=None, realm=None, use_ha1_pw=False)
Create a digest authentication object.
If the optional scheme argument is provided, it will be used instead of the
"Digest" scheme in the WWW-Authenticate response. A fairly common practice
is to use a custom scheme to prevent browsers from prompting the user to
login.
The realm argument can be used to provide an application defined realm with
the WWW-Authenticate header.
If use_ha1_pw is False, then the get_password callback needs to return the
plain text password for the given user. If use_ha1_pw is True, the
get_password callback needs to return the HA1 value for the given user. The
advantage of setting use_ha1_pw to True is that it allows the application to
store the HA1 hash of the password in the user database.
generate_ha1(username, password)
Generate the HA1 hash that can be stored in the user database when
use_ha1_pw is set to True in the constructor.
generate_nonce(nonce_making_callback)
If defined, this callback function will be called by the framework to
generate a nonce. If this is defined, verify_nonce should also be defined.
This can be used to use a state storage mechanism other than the session.
verify_nonce(nonce_verify_callback)
If defined, this callback function will be called by the framework to verify
that a nonce is valid. It will be called with a single argument: the nonce
to be verified.
This can be used to use a state storage mechanism other than the session.
generate_opaque(opaque_making_callback)
If defined, this callback function will be called by the framework to
generate an opaque value. If this is defined, verify_opaque should also be
defined.
This can be used to use a state storage mechanism other than the session.
verify_opaque(opaque_verify_callback)
If defined, this callback function will be called by the framework to verify
that an opaque value is valid. It will be called with a single argument:
the opaque value to be verified.
This can be used to use a state storage mechanism other than the session.
get_password(password_callback)
See basic authentication for documentation and examples.
error_handler(error_callback)
See basic authentication for documentation and examples.
login_required(view_function_callback)
See basic authentication for documentation and examples.
username()
See basic authentication for documentation and examples.
class flask_httpauth.HTTPTokenAuth
This class handles HTTP authentication with custom schemes for Flask routes.
__init__(scheme, realm=None)
Create a token authentication object.
The scheme argument must be provided to be used in the WWW-Authenticate
response.
The realm argument can be used to provide an application defined realm with
the WWW-Authenticate header.
verify_token(verify_token_callback)
This callback function will be called by the framework to verify that the
credentials sent by the client with the Authorization header are valid. The
callback function takes one argument, the username and the password and must
return True or False. Example usage:
@auth.verify_token
def verify_token(token):
g.current_user = User.query.filter_by(token=token).first()
return g.current_user is not None
Note that a verify_token callback is required when using this class.
error_handler(error_callback)
See basic authentication for documentation and examples.
login_required(view_function_callback)
See basic authentication for documentation and examples.
AUTHOR
Miguel Grinberg
COPYRIGHT
2019, Miguel Grinberg
Oct 27, 2019 FLASK-HTTPAUTH(1)