Flask API authentication

Question

I am building a chrome extension that sends GET requests to a flask API I've built. I want to add some sort of authentication to the API so that only my chrome extension can receive that data.

I have looked into using a JSON web token but it seems that by doing that, I would have to have the username and password in my chrome extension code, which is easily accessible to anyone once the chrome extension is published.

Am I thinking about this in the wrong way?

Thanks

score 0 · Accepted Answer · answered Mar 26 '21 at 15:28

0

You should not store a JWT with such data as some constant in the chrome extension code.

JWTs should be generated dynamically in this use case; I recommend this tutorial from Miguel.

I don't think, however, that this is the way to go. Read this. If you provide authentication (you know who your users are and they need to log in), then you can use those details to create a session based authentication or a JWT token approach (see Flask-Login, Flask-Security, Flask-Principal, Flask-JWT, etc.).

answered Mar 26 '21 at 15:28

miquelvir

1,748
1
7
21

Thanks for your answer, but what if my chrome extension doesn't have a login? I just want to display data to those who have the chrome extension downloaded – Richard Palmer Mar 26 '21 at 16:18
https://stackoverflow.com/questions/8577110/securing-website-api-keys-in-chrome-extensions – miquelvir Mar 26 '21 at 16:20
Thank you, appreciate your help! – Richard Palmer Mar 26 '21 at 17:51
You are welcome! If this solves your question please mark it as solved! – miquelvir Mar 26 '21 at 18:12

Flask API authentication

1 Answers1