RESTapi flask mount

Question

RESTapi flask mount

The application I'm building uses a lot of ajax calls. Unfortunately, I fell into the trap of exploring how to restrict access to the api. For example:

I have a table that makes an ajax call to http: // site / api / tasks / bob
I need to make sure that only the bob that is logged in can read this table (otherwise someone who knows the template may need to see the task bob by simply entering the URL in the browser).
on another page, the same table should be able to call http: // site / api / tasks / all and show the tasks of all users (only the administrator should be able to do that)

Thank you for reading this time and possibly responding to it.

+8

python rest flask restful-authentication

pocorschi Aug 08 '11 at 9:41

source share

1 answer

Sean vieira · Accepted Answer · 2011-08-08T21:49:36+0000

In a thousand-foot view, you need to authenticate the user with:

A) HTTP-Auth ( basic or digest ) for each request.

B) Server-side sessions. (The user authenticates and receives the session key - their user information is stored in the session backend on the server attached to this key. After they have a session, they can make requests that transmit their session key to you (in the URL or in the cookie), and the information they have access to is returned to them.)

There are a couple of useful extensions in the bulb that relate to most of this kind of thing - check Flask-Login and Flask-Principal to see examples of how authorization can be added to a jar application.

RESTapi flask mount

More articles: