0

I'm struggling a bit to get the auth working properly. I'm controlling the login behavior through api's instead of the web application. For this, i'm using flask session and HTTPBasicAuth(). After a user logs in and until he logs out, I don't want him to re-login (or) post auth for every request to the api. For this i'm leveraging session['username'].

My code for auth.verify_password is below.

    @auth.verify_password
    def verify_password(username, password):
        if 'username' in session:
            return True
        else:
            where_col = "username"
            if '@' in parseaddr('username')[1]:
                where_col = "email"

            conn = mysql.connect()
            cur = conn.cursor()
            sql = "SELECT email, pwd FROM users_table WHERE {}=%s".format(where_col)
            cur.execute(sql, (username))
            row = cur.fetchone()
            cur.close()
            conn.close()
            if not row:
                print "Invalid user"
                return False
            session['username'] = username
            return check_password_hash(row[1], password)

Now, after the login is complete, I want to get some other product data for which I will check using the `auth.login_required` decorator

@app.route('/products', methods=['GET', 'POST'])
@auth.login_requied
def get_products():
    conn = mysql.connect()
    cur = conn.cursor()
    sql = "select * from all_products"
    row = cur.fetchall()
    cur.close()
    conn.close()
    return row

@app.route('/logout', methods=['GET', 'POST'])
@auth.login_requied
def logout():
    session.pop(auth.username())

Next time when I call get_products, I don't want to pass auth to the request header. The above code is not working when I do that. I feel some very little code is missing somewhere (or) that my approach is completely wrong. The session['username'] doesn't seem to persist. It has to go through the login approach everytime, whereas my goal is to skip login until a user logs out. Appreciate any suggestions here.

user3327034
  • 395
  • 3
  • 13
  • The `auth_required` decorator needs to be applied to routes. Looks like you have it on a pair of regular functions, at least there is no `@app.route` decorator in them. – Miguel Grinberg Feb 08 '19 at 15:54
  • Sorry, updated the code. @Miguel – user3327034 Feb 08 '19 at 17:28
  • What kind of client are you using? Does it know how to handle cookies? – Miguel Grinberg Feb 08 '19 at 23:37
  • yes. using Laravel. I'm trying to test this functionality using python itself. Basically, i'm trying to do `if 'username' in session: then True else check against db` sort of. I don't want to make a db call until I hit logout or something else where username is not in session. – user3327034 Feb 09 '19 at 00:23
  • Does your client handles cookies? If it doesn't then this isn't going to work, since the user session is baed on that. Also, if you want to do login/logout, I suggest you use Flask-Login instead of Flask-HTTPAuth. – Miguel Grinberg Feb 09 '19 at 08:32

0 Answers0