I have recently started using flask-httpauth on a project. Something that jumped out at me is setting the current user into the flask g thread-local object via something like g.current_user = user inside verify_password and verify_token.

Would it make sense to create a new decorator, something like @auth.current_user, which takes a callback that returns the current user? This callback can then be used to inject the current user as a parameter into the callbacks for the other flask-httpauth decorators, e.g. @auth.verify_password as well as @auth.login_required.

I think it would be nice to be able to just receive the current user as a parameter and remove the need to use flask's g object.

Below is a simplified example just to illustrate the idea:

def login_required(f):    
    user = "jane" # in reality obtain the user from the callback

    @wraps(f) 
    def __decorated_function(*args, **kwargs):    
        new_args = (*args, user) # inject user into parameters to `f`
        f(*new_args, **kwargs)
    
    return __decorated_function

Are there plans to add type annotations or stub files for mypy to flask-httpauth?

As you seem to want to support Python 2, I guess stub files would be the way to go. Would you be open to a PR?

This uses constant time string comparisons everywhere that looked plausibly like it might matter:

• Plaintext password comparison
• Digest nonce comparison
• Digest hash comparison

Fixes #82

Hi, is it possible to make auth concuretly for two users?

I am using your default Basic authentication example.

Example: User 1 opened page, basic auth prompt shows up. He didnt write anything and has opened prompt. User 2 wants to open page, but he can't. Loading bar is still loading and BasicAuth prompt is not showing up.

WSGI app is not serving any requests.

Is it possible to make this http basic auth non blocking?

Thanks, Tomas

For my own project i have added a simple way to add role based access control to BasicAuth:

class HTTPRoleAuth(flask_httpauth.HTTPBasicAuth):
    def __init__(self, scheme=None, realm=None):
        super().__init__(scheme, realm)
        self.get_user_roles_callback = None

    def get_user_roles(self, f):
        """ user roles are the roles the user has """
        self.get_user_roles_callback = f
        return f

    def roles_required(self, *endpoint_roles):
        """ endpoint roles are the roles (str) the user has to have to get access to the (decorated) endpoint """
        def decorator(f):
            @wraps(f)
            def decorated(*args, **kwargs):
                """ basically the login_required decorated but with a check of 'authorize' """
                auth = self.get_auth()
                if request.method != 'OPTIONS':  # pragma: no cover
                    password = self.get_auth_password(auth)

                    if not (self.authenticate(auth, password) and
                            self.authorize(auth, endpoint_roles)):
                        request.data  # empty the stream
                        return self.auth_error_callback()

                return f(*args, **kwargs)
            return decorated
        return decorator

    def authorize(self, auth, endpoint_roles):
        """ if any of the roles of the user correspond to the endpoint roles; the user gets access """
        if not auth.username:
            return False
        user_roles = self.get_user_roles_callback(auth.username)
        return any(role in endpoint_roles for role in user_roles)

used as in:

    @route('/try_roles/<data>', methods=['GET'])
    @auth.roles_required("super", "security")
    def try_login_with_roles(self, data):
        """ roles test url """
        return {"success": True, "data": data}

compared to:

    @route('/try_login/<data>', methods=['GET'])
    @auth.login_required
    def try_login(self, data):
        """ login test url """
        return {"success": True, "data": data}

with roles_required a replacement for login_required with the additional requirement that the user has one of the roles (obtained through the get_user_roles callback) set by the decorator.

Is this something to add to the repo?

Have you considered changing this module to support hashed passwords? A simple function that mutated the HTTP provided password before it was compared against the password obtained from @auth.get_password would do the trick. Perhaps a decorator called @auth.hash_password?

This would let you use Basic Auth over SSL and provide much stronger hashing than what's built into HTTP Digest, and prevent your service from storing plaintext passwords in the DB.

So "get_password" is expecting a raw password. We do store passwords in SHA256 and we even dont know how to retrieve a actual password from that hash value. So the function can be improved to accomodate that.

How can I protect arbitrary routes in my webapp with HTTPAuth? In particular, using flask-apispec (swagger) I just initialize the extension and optionally provide setting on what the routes are, e. g.:

from flask_httpauth import HTTPBasicAuth
from flask_apispec.extension import FlaskApiSpec
from werkzeug.security import check_password_hash

auth = HTTPBasicAuth()
docs = FlaskApiSpec()

def register_extensions(app):
    # ...

    @auth.verify_password
    def verify_password(username, password):  # pylint: disable=unused-variable
        users = app.config["AUTH_USERS"]
        for user in users:
            if user["name"] != username:
                continue
            if check_password_hash(user["password"], password):
                return user
        return False

    @auth.get_user_roles
    def get_user_roles(user):  # pylint: disable=unused-variable
        return user["roles"]

    # ...

    app.config.update(
        {
            "APISPEC_SPEC": ...,
            "APISPEC_SWAGGER_URL": "/swagger/",
            "APISPEC_SWAGGER_UI_URL": "/swagger-ui/",
        }
    )
    docs.init_app(app)

    # ...

Flask-HTTPAuth only provides decorators for me, so how can I protect those routes that are not declared by me? (Besides only enabling the apispec extension in Development/Testing environments.)

In my REST API webapp, I wanted to provide read-only access as well as read-and-write access using different roles for different HTTP methods, and both protected by HTTPBasicAuth.

My current (working) solution is:

# logging just to trace calls
from functools import wraps

from flask import Blueprint
from flask import current_app
from flask import request

from ..app import auth

bp_api = Blueprint("api", __name__)

def login_required_method_filter(role, methods=None):
    def filter_method_decorator(f):
        @wraps(f)
        def decorated_function(*args, **kwargs):
            current_app.logger.warning(
                "request? - %s - %s of %s - %s",
                request.endpoint,
                request.method,
                methods,
                role,
            )
            if methods and request.method not in methods:
                # ignore and continue with request
                return None

            f_authd = auth.login_required(role=role)(f)
            return f_authd(*args, **kwargs)

        return decorated_function

    return filter_method_decorator


@bp_api.before_request
@login_required_method_filter(role="api-rw", methods=("POST", "DELETE", "PUT"))
def before_request_rw():
    """Protect write API routes"""
    current_app.logger.warning(
        "before_request_rw - %s - %s", request.endpoint, request.method
    )


@bp_api.before_request
@login_required_method_filter(role="api-ro", methods=("GET", "HEAD", "OPTIONS"))
def before_request_ro():
    """Protect API routes"""
    # user = auth.current_user()
    # roles = user["roles"]
    # if request.method in ("GET", "HEAD") ...
    current_app.logger.warning(
        "before_request_ro - %s - %s", request.endpoint, request.method
    )

# api methods, using MethodViews or MethodResource from flask_apispec

# app httpauth configs
"AUTH_USERS": [
    {
        "name": "api-ro",
        "password": generate_password_hash("api-ro"),
        "roles": ["api-ro"],
    },
    {
        "name": "api-rw",
        "password": generate_password_hash("api-rw"),
        "roles": ["api-rw", "api-ro"],
    },
]

The idea is that the authentiation with roles only checks if the correct HTTP method is used, else the method is unprotected. But with covering all HTTP methods, one check will work and protect using the given role. So the main issue is when not all HTTP methods are covered with handlers it could potentially let a request through. (methods=None is the catch-all to protect against this)

In my tests it works reliably. The only problem for me is currently (in my browser) how to disable old tokens, e. g. if I want to switch between read+write and read-only ...

Maybe this is a use-case that is interesting for others or can even be included into this library.

Hello,

I am trying to authenticate my API.

some background information: I am using the HTTPBasicAuth() function (if you recommend anything else for this situation I do not mind changing the code)

Below is my app.py script

users={}
secrets = "./secrets.json" 
with open(secrets, 'r') as c:
    secrets_json = json.load(c)

user = secrets_json['API']['user']
password = secrets_json['API']['password']
users[user] = generate_password_hash(password)

app = Flask(__name__)
auth = HTTPBasicAuth()

@auth.verify_password
def verify_password(username, password):
    if username in users:
          return check_password_hash(users.get(username), password)
    return False

@app.route("/",methods=["GET"])
@auth.login_required
def main():
    return "Hello World"

@app.route("/annotate/",methods=["GET"])
@auth.login_required
def annotate():
#Annotate functions.....

if __name__ == "__main__":
    http_server = WSGIServer(('0.0.0.0',5000), app)
    http_server.serve_forever()

When I am using: curl -u Maria http://localhost:5000/ It asks for authentication, but if I call the annotate function using: curl -u Maria http://localhost:5000/annotate/gene=BRAF&protein_change=V600E&variant_type=MISSENSE

It doesn't ask for authentication.

I also want it to ask for authentication when using a web browser. When I ran it the first time, it asked through the browser but that was it. I was reading through your other issues and comments and you said it asks only once, but how can I make it ask every time?

Thank you very much for any help you can provide! Maria Nakhoul

If we implement @auth.get_password as described in the doc:

@auth.get_password
def get_pw(username):
    if username in users:
        return users[username]
    return None

When the user logs in with an invalid user name, the script with raise an error:

  File ".../env/lib/python3.3/site-packages/flask_httpauth.py", line 52, in decorated
    if not self.authenticate(auth, password):
  File ".../env/lib/python3.3/site-packages/flask_httpauth.py", line 108, in authenticate
    a1 = auth.username + ":" + auth.realm + ":" + password
TypeError: Can't convert 'NoneType' object to str implicitly

(BTW the test suite does not catch this because it simply makes every invalid user's password being 'other'. This is totally wrong, and should return some non-string to indicate unconditional rejection.)

It would be nice if you could support application factories. Then would be this possible:

from flask_httpauth import HTTPBasicAuth

auth = HTTPBasicAuth()

def create_app():
    app = Flask(__name__)
    auth.init_app(app)

Hello, I'm using Basic auth as provided in the tutorial example. the entry looks like

@app.route('/', methods=['GET', 'POST', 'OPTIONS', 'PUT', 'DELETE', 'HEAD', 'PATCH'])
@app.route('/<path:input_path>', methods=['GET', 'POST', 'OPTIONS', 'PUT', 'DELETE', 'HEAD', 'PATCH'])
@auth.login_required
def enter(input_path='/'):

Interestingly, firefox seems to remember the login information correctly and only asks for it once.

After successful authentication, What is the type of g.flask_httpauth_user that is added by the @login_required decorator?

I expect to find user object, But As I can understand from the source code, It is always str or None. In the case of string it will be the username. If my note is true, It will is better to change this behavior to store user object. If this will break the backword compatibility, I suggest to add optional user loader callback, that will be called after successful login.

The current behavior break the example mentioned :

`@bp.route('/tokens', methods=['POST'])
 @basic_auth.login_required
def get_token():
    token = basic_auth.current_user().get_token()
    db.session.commit()
    return jsonify({'token': token})` 

basic_auth.current_user() return the g.flask_httpauth_user which has no method named get_token()

Thank you.

Version: 4.4.0

Hello Miguel,

I have a use case where for some REST endpoints I want to use the HTTP Basic Auth but let authentication run against custom htpasswd file. For example, for endpoint http://localhost:5000/api/someAPIcall I want to pass specific tenant and authentication will run against his/her htpasswd file - look up via file system in specific directory. My goal is to separate different tenants (customers) and not to use just one big common htpasswd file for all of them.

Unfortunately, I am not that deep into Python and Flask, tough digging currently on everyday basis. Looking at the functions and wondering how to do that.

I noticed that using @auth.login_required doesn't work when used on a socketio connect handler. It prevents the function from running, which makes it appear that it works, but it does not actually prevent the connection. This means that unauthenticated clients will be connected, and will receive events. Example:

@socketio.on('connect')
@auth.login_required
def connect():
  # this handler does not run, but the client is still connected
  app.logger.info('connected')

I believe that this is due to the fact that the connection rejection in http handlers and in socketio handlers does not work the same way - socketio connect handlers are supposed to return False to reject a connection, while http handlers send a status code etc. I resorted to using the following approach, which appears to work:

@socketio.on('connect')
@auth.login_required(optional=True)
def connect():
    if not auth.current_user():
        app.logger.info('rejected client')
        # This works - reject clients by returning False.
        return False
    app.logger.info(f'client connected, current_user = {auth.current_user()}')

A full working example is going to be a bit of a pain to write since it requires both a server and a client, but I can do that if it helps.

On a side note, my understanding is that only the connect handler needs to be protected by authentication, and all the other socketio handlers are protected implicitly since clients can't connect. Is this correct?