0

I'm running two instances of flask app. For security, I'm using flask-security and flask-mongoengine. Both api instances has to work as a node to a load balancer. Now when I login using the first api, I get an access token, now I'm trying to hit the second api using the access token which is giving unauthorized status.

Now, I was wondering that is it possible to use same access token for both apis . Both api share same database, mongo config and security config. Code is below:

from flask import Flask,request, render_template,abort,jsonify
from flask_mongoengine import MongoEngine
from flask_security import Security, MongoEngineUserDatastore, \
    UserMixin, RoleMixin, login_required,auth_token_required,roles_required, current_user
from flask_security.utils import logout_user
from flask_cors import CORS, cross_origin
import csv
import time
import hashlib
import datetime
import requests
import json

# Create app
app = Flask(__name__)
CORS(app)
app.config['DEBUG'] = True
app.config['SECRET_KEY'] = 'super-secret'
app.config['SECURITY_PASSWORD_HASH'] = 'plaintext'
app.config['SECURITY_TRACKABLE'] = True
app.config['SECURITY_PASSWORD_SALT'] = 'somepaswwordsalt'
app.config['WTF_CSRF_ENABLED'] = False

# MongoDB Config
app.config['MONGODB_DB'] = 'db'
app.config['MONGODB_HOST'] = 'localhost'
app.config['MONGODB_PORT'] = 27017
app.config['MONGODB_USERNAME'] = 'username'
app.config['MONGODB_PASSWORD'] = 'password'

# Create database connection object
db = MongoEngine(app)

@app.route('/api/v1/',methods=['GET'])
@auth_token_required
@roles_required('admin')
def create():
    ......
    ......
Rahul
  • 3,208
  • 8
  • 38
  • 68
  • The session key and access key have different properties. It is possible to process session information elsewhere, but this creates a vulnerability. You can move the action key (completely unique) in the address bar. You can easily track user and action errors (this creates an additional system load). After you log on, you cannot provide security without creating any access counters (you should use two-step verification briefly. It doesn't make sense to do these things at once.). – dsgdfg May 30 '18 at 09:38
  • Well, token is just data about a user which is encrypted (hashed) with server's secret key and salt, what makes it cross-instance as instances share the same salt and secret key. I think you should search the reason why it doesn't work somewhere else, not in auth token. Flask_security is quite easy-to-read lib and you can debug and trace where it goes wrong. – Fine Jun 01 '18 at 10:04

0 Answers0