Flask extension for providing basic digest and token authentication via apache htpasswd files. So largely it fits between Flask-Security which has additional dependencies and Flask-BasicAuth which only allows you to have one user (and also puts the plain text password into the configuration).
Sample usage is to first create an htpasswd file with the apache tool:
htpasswd -c /path/to/.htpasswd my_username
Additional users can be added, or have their passwords changed, by running:
htpasswd /path/to/.htpasswd new_user
htpasswd /path/to/.htpasswd user_I_want_to_change_passwords_for
Then you just need to setup and configure your flask application, with something like:
import flask
from flask_htpasswd import HtPasswdAuth
app = flask.Flask(__name__)
app.config['FLASK_HTPASSWD_PATH'] = '/path/to/.htpasswd'
app.config['FLASK_SECRET'] = 'Hey Hey Kids, secure me!'
htpasswd = HtPasswdAuth(app)
@app.route('/')
@htpasswd.required
def index(user):
return 'Hello {user}'.format(user=user)
app.run(debug=True)
And that view should now prompt for a username and password (and accept tokens).
If you would like to protect all of your views, that is easy too, just
add a little config. By setting app.config['FLASK_AUTH_ALL']=True
before initializing the extension, an @app.before_request
is added
that will require auth for all pages, and it will add the user as
flask.g.user
.
One last small feature, is that you can also set the authentication
realm. The default is 'Login Required', but it can be set with
app.config['FLASK_AUTH_REALM']
before initialization.
Tokens are based on the username and password, and thus invalid whenever the user's password is changed. To get a user password, you can serve it out to the user with something like
import flask
from flask_htpasswd import HtPasswdAuth
app = flask.Flask(__name__)
app.config['FLASK_HTPASSWD_PATH'] = '/path/to/.htpasswd'
app.config['FLASK_SECRET'] = 'Hey Hey Kids, secure me!'
htpasswd = HtPasswdAuth(app)
@app.route('/')
@htpasswd.required
def index(user):
return flask.jsonify({'token': htpasswd.generate_token(user)})
app.run(debug=True)
It can then be used by the user by adding it to the header of their requests, something like:
import requests
requests.get('http://localhost:5000/', headers={'Authorization': 'token <token>'})
- Switch from itsdangerous to pyjwt
- Renamed FLASK_SECRET into FLASK_SECRET
- Updated for newer language and Flask versions
- Corrected deprecated passlib API call
- Added function to reload user database
- Added user to
flask.g
with FLASK_AUTH_ALL=True
- Python 3 compatibility
This is largely based on a combination of:
- https://flask-basicauth.readthedocs.io/en/latest/
- https://flask.pocoo.org/snippets/8/
- https://blog.miguelgrinberg.com/post/restful-authentication-with-flask