1

my objective in this question is to secure my API.

in my application, I'm using Flask and flask_restless's APIManager to provide CRUD API to my Person object.

code sample: 

manager = APIManager(app, flask_sqlalchemy_db=db)
manager.create_api(Person, methods=['GET', 'POST', 'PATCH', 'DELETE'])

and also using flask_httpauth to protect my other routes like this:

@app.route('/auth/get-token')
@auth.login_required
def get_auth_token():
    token = g.user.generate_auth_token()
    return jsonify({'token': token.decode('ascii'), 'fullname': g.user.fullname})

I could not figure out how to use @auth.login_required with the apimanager to not make it respond to anonymous requests, I read in the documentation something about preprocessors but also couldn't find a way to use it with @auth.login_required decorator.

any help will be appreciated.

Motassem Kassab
  • 1,744
  • 4
  • 21
  • 40

2 Answers2

2

Unfortunately, it looks like Flask-Restless currently does not officially support attaching view decorators to the routes it manages. There is an open issue to add this feature, and there is also another issue specifically requesting support for Flask-HTTPAuth.

There is yet a third issue, in which a user shows the technique to manually inject the decorators after Flask-Restless created its endpoints. The snippet from that user's example that adds a get_cache decorator is below:

manager = flask.ext.restless.APIManager(app, flask_sqlalchemy_db=db)
manager.create_api(Person, methods=['GET', 'POST', 'DELETE'])
manager.create_api(Person2, methods=['GET', 'POST', 'DELETE'])

# hackish view decoration:
for model in [Person, Person2]:
    model_route = '{0}api0.{0}api'.format(model.__name__.lower())
    app.view_functions[model_route] = get_cache(app.view_functions[model_route])

In your case, you would replace get_cache with auth.login_required.

Update: As discussed below in the comments, the argument in '{0}api0.{0}api' is the table name, so the above code will only work if table names are left for Flask-SQLAlchemy to generate. If the model has a custom table name, then use that instead of model.__name__.lower().

Miguel Grinberg
  • 65,299
  • 14
  • 133
  • 152
  • thanks a lot, I don't want to be annoying but I'm getting this error and can't figure out what went wrong: `app.view_functions[model_route] = auth.login_required(app.view_functions[model_route]) KeyError: 'personapi0.personapi'` – Motassem Kassab Mar 02 '17 at 16:29
  • Woops, I figured it out, apparently flask adds the letter s as a suffix for the class's name, so the registered function for `Person` API is called `personsapi0.personsapi`, I hope you add this to your answer and thank you so much it did solve the problem. – Motassem Kassab Mar 02 '17 at 16:50
  • it has to be : `model_route = '{0}sapi0.{0}sapi'.format(model.__name__.lower())` – Motassem Kassab Mar 02 '17 at 16:52
  • 1
    @MotassemMK could it be because you are using a custom table name with the plural form? – Miguel Grinberg Mar 02 '17 at 16:56
  • ops.. yep that's it – Motassem Kassab Mar 02 '17 at 17:00
1

I recommend you to use Flask-Security. There is a tutorial about how to use it to security your API interface.

stamaimer
  • 6,227
  • 5
  • 34
  • 55