0

I am using flasgger to generate swagger UI for API's in flask.

I have an API endpoint http://localhost:5000/api/token which gives back token, if correct username and password is given, everything is fine, only problem is password is sent in clear text, I want to encrypt password while posting through swagger and decrypt it in flask.

enter image description here

curl generated is

curl -X POST "http://localhost:5000/api/token" -H "accept: application/json" -H "Content-Type: application/json" -d "{"password": "mypassword", "username": "myuser"}"

How can I encrypt password value in swagger or flasgger. I tried below but didn't see any change.

Token:
    type: object
    properties:
        username:
            type: string
            description: 'enter your username'
            example:"myuser"
        password:
            type: string
            description: 'enter your password'
            example: 'mypassword'
            format: base64

Thanks in advance!

young_minds1
  • 1,181
  • 3
  • 10
  • 25
  • 1
    Use HTTPS instead. There's no reason for any API to use HTTP, especially when passwords are involved. HTTPS is far more secure than any hand-rolled encryption – Panagiotis Kanavos Sep 30 '21 at 12:42
  • @PanagiotisKanavos thank you for the comment, understood what you said but is there any way of encrypting text in swagger? – young_minds1 Sep 30 '21 at 12:54
  • 1
    If you still ask, you didn't understand it at all. Swagger runs on the server, not the client. The forms you see do run on the client, which means any kind of encryption would have to run on the browser. Which would make them visible to everyone. HTTPS uses asymmetric encryption based on certificates *and* ensures the connection isn't intercepted. Why do you insist on encryption and who is going to do it? – Panagiotis Kanavos Sep 30 '21 at 12:57
  • @PanagiotisKanavos ok. so you mean only changing to https should do the job. – young_minds1 Sep 30 '21 at 13:08
  • In other words, it's OK to send passwords as plain text in the request body **as long as they are sent over an HTTPS connection**. See [Is it safe to send clear usernames/passwords on a HTTPS connection to authenticate users?](https://security.stackexchange.com/q/64631) – Helen Sep 30 '21 at 15:43

0 Answers0