Securing RESTapi in flask

Question

The app I'm deving uses a lot of ajax calls. Unfortunately I hit a snag when researching on how to restrict access to the api. For example:

i have table that does an ajax call to http://site/api/tasks/bob
i need to make sure that only bob, logged in, can read that table (otherwise somebody who knows the pattern might request to see bob's tasks by simply entering the url in the browser).
on a different page,the same table needs to be able to call http://site/api/tasks/all and show the tasks of all users (only an admin should be able to do that)

Thank you for your time reading this and maybe answering it.

score 14 · Accepted Answer · edited Oct 28 '12 at 21:12

14

The thousand-foot view is you need to authenticate the user either with:

A) HTTP-Auth (either basic or digest) on each request.

B) Server-side sessions. (The user authenticates and receives a session key - their user information is stored in the session backend on the server, attached to that key Once they have a session they can make requests passing their session key back to you (either in the URL or in a cookie) and the information they have access to is returned to them.)

Flask has a pair of useful extensions that deal with a large part of this sort of thing - check out Flask-Login and Flask-Principal to see examples of how authorization can be added to a Flask application.

edited Oct 28 '12 at 21:12

miku

181,842
47
306
310

answered Aug 08 '11 at 21:49

Sean Vieira

155,703
32
311
293

i would love to find more info on how to implement the second one. – pocorschi Aug 08 '11 at 22:50
@InnocentPixel -- Flask has a fully-documented session api already built-in. See: http://flask.pocoo.org/docs/api/#sessions – Sean Vieira Aug 09 '11 at 03:15

Securing RESTapi in flask

1 Answers1

Linked