How to get auth_token_required in Flask_Security working?

Question

I'm trying to build a token based backend (API) for an app using Flask in which I'm trying to use Flask_Security. Since I'm using the Peewee ORM, I've followed this guide to build the basic setup and I now have to build the views which should login the user and then a view which actually serves some useful data.

So my login view which returns the token looks like this:

@app.route('/api/login', methods=['POST'])
def api_login():
    requestJson = request.get_json(force=True)
    user = User.select().where(User.username == requestJson['username']).where(User.password == requestJson['password']).first()
    if user:
        return jsonify({'token': user.get_auth_token()})
    else:
        return jsonify({'error': 'LoginError'})

This works fine; I get a token as a response. I now want to protect another view using auth_token_required and I want to use the token as a header. So I try this as follows:

@app.route('/api/really-important-info')
@auth_token_required('SECURITY_TOKEN_AUTHENTICATION_HEADER')
def api_important_info():
    return jsonify({'info': 'really important'})

But starting Flask results in an AttributeError: 'str' object has no attribute '__module__'. The documentation isn't very helpful on its usage either.

Does anybody know how I can get this to work? Any tips are welcome!

Answer 1

The error is because the decorator does not expect any arguments (besides the function it is decorating).

@auth_token_required
def api_important_info():
    pass

The configuration values SECURITY_TOKEN_AUTHENTICATION_KEY or SECURITY_TOKEN_AUTHENTICATION_HEADER represent the location in the query params or headers, respectively, of an incoming request.

Flask-Security automatically sends this token to the client for future use when a JSON request is made to the login route.

---

You may be confused by the multiple authentication methods that Flask-Security provides. Auth tokens are useful for apis where you don't have a session cookie managed by the browser. The "normal" session based authentication is handled with login_required.