jpvanhal / flask-basicauth Goto Github PK
View Code? Open in Web Editor NEWHTTP basic access authentication for Flask.
Home Page: https://flask-basicauth.readthedocs.io/
License: Other
HTTP basic access authentication for Flask.
Home Page: https://flask-basicauth.readthedocs.io/
License: Other
something like this works, though it needs access to the BasicAuth
instance.
class SecuredStaticFlask(Flask):
@basic_auth.required
def send_static_file(self, filename):
return super(SecuredStaticFlask, self).send_static_file(filename)
There are certain security benefits to publishing wheels
# mitigate supply chain risk by using --only-binary
pip install flask-basicauth --only-binary=:all:
It looks like you're using setup.py, so if you add bdist_wheel
python setup.py build sdist bdist_wheel
and then twine upload the .whl file, that would do it.
Thanks!
Hello,
this has been reported in Debian as https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1064764, when running tests with flask-basicauth/0.2.0 i got these errors:
python3.12 -m unittest -v test_basicauth.py; python3.11 -m unittest -v test_basicauth.py;
test_asks_for_authentication (test_basicauth.BasicAuthTestCase.test_asks_for_authentication) ... ok
test_asks_for_authentication_with_custom_realm (test_basicauth.BasicAuthTestCase.test_asks_for_authentication_with_custom_realm) ... ok
test_check_credentials_with_correct_credentials (test_basicauth.BasicAuthTestCase.test_check_credentials_with_correct_credentials) ... ok
test_check_credentials_with_incorrect_credentials (test_basicauth.BasicAuthTestCase.test_check_credentials_with_incorrect_credentials) ... ok
test_requires_authentication_for_all_views_when_forced (test_basicauth.BasicAuthTestCase.test_requires_authentication_for_all_views_when_forced) ... ok
test_responds_with_200_with_correct_credentials (test_basicauth.BasicAuthTestCase.test_responds_with_200_with_correct_credentials) ... FAIL
test_responds_with_200_with_correct_credentials_containing_colon (test_basicauth.BasicAuthTestCase.test_responds_with_200_with_correct_credentials_containing_colon) ... FAIL
test_responds_with_401_with_incorrect_credentials (test_basicauth.BasicAuthTestCase.test_responds_with_401_with_incorrect_credentials) ... ok
test_responds_with_401_without_authorization (test_basicauth.BasicAuthTestCase.test_responds_with_401_without_authorization) ... ok
test_runs_decorated_view_after_authentication (test_basicauth.BasicAuthTestCase.test_runs_decorated_view_after_authentication) ... FAIL
test_sets_default_values_for_configuration (test_basicauth.BasicAuthTestCase.test_sets_default_values_for_configuration) ... ok
test_views_without_basic_auth_decorator_respond_with_200 (test_basicauth.BasicAuthTestCase.test_views_without_basic_auth_decorator_respond_with_200) ... ok
======================================================================
FAIL: test_responds_with_200_with_correct_credentials (test_basicauth.BasicAuthTestCase.test_responds_with_200_with_correct_credentials)
----------------------------------------------------------------------
Traceback (most recent call last):
File "/build/flask-basicauth-0.2.0/test_basicauth.py", line 96, in test_responds_with_200_with_correct_credentials
self.assertEqual(response.status_code, 200)
AssertionError: 401 != 200
======================================================================
FAIL: test_responds_with_200_with_correct_credentials_containing_colon (test_basicauth.BasicAuthTestCase.test_responds_with_200_with_correct_credentials_containing_colon)
----------------------------------------------------------------------
Traceback (most recent call last):
File "/build/flask-basicauth-0.2.0/test_basicauth.py", line 104, in test_responds_with_200_with_correct_credentials_containing_colon
self.assertEqual(response.status_code, 200)
AssertionError: 401 != 200
======================================================================
FAIL: test_runs_decorated_view_after_authentication (test_basicauth.BasicAuthTestCase.test_runs_decorated_view_after_authentication)
----------------------------------------------------------------------
Traceback (most recent call last):
File "/build/flask-basicauth-0.2.0/test_basicauth.py", line 111, in test_runs_decorated_view_after_authentication
self.assertEqual(
AssertionError: b'' != b'This view always requires authentication.'
----------------------------------------------------------------------
Ran 12 tests in 0.024s
FAILED (failures=3)
this happens with both python 3.11 and 3.12; full build logs
flask-basicauth_0.2.0-4_amd64.build.txt
I'm trying to figure out if flask-basicauth doesn't support this, or if I'm doing something wrong.
With other http / apache Basic Auth you can get straight to the site through embedding the user/pass into the URL like:
http://user:pass@server
Is this possible? I haven't made it work yet. Below is my code.
`
from flask_basicauth import BasicAuth
app = flask.Flask(name)
CORS(app)
#CORS(app, expose_headers='Authorization'). #Did not work
app.config['BASIC_AUTH_USERNAME'] = 'user'
app.config['BASIC_AUTH_PASSWORD'] = 'pass'
app.config['BASIC_AUTH_FORCE'] = True
basic_auth = BasicAuth(app)
@app.route('/', methods=['GET'])
def hello():
return '''Running'''
`
check_credentials
does not use a constant time string comparison method.
This behaviour is unsafe and i think it could lead in a potential timing attack
Hi!
I'm having a similar problem as this one, but with this lib:
https://www.digitalocean.com/community/questions/flask-and-http-basic-authentication
In my machine everything works as it should, but when I try it in the production server, when I try to access a page where authentication is needed, the auth prompt keeps popping up, even after inserting the correct user and password.
Info about the machine in which there are problems:
uname -a
Linux chronos 2.6.32-431.17.1.el6.x86_64 #1 SMP Wed May 7 23:32:49 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
cat /etc/issue
CentOS release 6.5 (Final)
apachectl -V
Server version: Apache/2.2.15 (Unix)
I had installed Flask-BasicAuth use:
sudo pip install Flask-BasicAuth
My code looks like this:
from flask import Flask, render_template
from flask_basicauth import BasicAuth
app = Flask(__name__)
app.config['BASIC_AUTH_USERNAME'] = 'john'
app.config['BASIC_AUTH_PASSWORD'] = 'matrix'
app.config['BASIC_AUTH_FORCE'] = True
basic_auth = BasicAuth(app)
@app.route('/')
@basic_auth.required
def secret_view():
return render_template('404.html')
if __name__ == '__main__':
app.run(host='0.0.0.0', port=3000)
But when I run it, The error is.
Traceback (most recent call last):
File "run.py", line 2, in <module>
from flask_basicauth import BasicAuth
ImportError: No module named flask_basicauth
Hi,
I'd been getting the following warning repeatedly whenever starting my flask server while working on my app::
1: ExtDeprecationWarning: Importing flask.ext.basicauth is deprecated, use flask
_basicauth instead.
.format(x=modname), ExtDeprecationWarning
* Running on http://0.0.0.0:5000/ (Press CTRL+C to quit)
It was really easy to fix - instead of having::
from flask.ext.basicauth import BasicAuth
I had to write::
from flask_basicauth import BasicAuth
However, I noticed that your documentation is a bit out of date and lists the old method of importing an extension. Can I submit a PR and fix this for you?
I'm trying to run the unit tests, so that I can write a PR.
I can't figure out how. There's no requirements.txt
or requirements_test.txt
.
setup.py
only specifies Flask
as a dependency, and no test dependencies.
If I install Flask
and run python3 setup.py test
, it says:
ModuleNotFoundError: No module named 'flask.ext'
So are the dependencies in setup.py
missing something? What do I pip install? Flask-Ext
? That library has 1 contributor, no stars, no forks, no issues. Is that the right one?
I have a scenario where a route should only be protected by basic auth for certain methods:
@app.route("/items", methods=["GET"])
@basic_auth.required
def list_items():
...
@app.route("/items", methods=["POST"])
def create_item():
...
That's because POST
ing requires a bearer token instead of basic auth:
> GET /items
> Authorization: Basic ...
> POST /items
> Authorization: Bearer ...
However, it seems the required
decorator does not take into account the method, so with the code above, both handlers are basic auth-protected.
I've been using Basic Auth for some time, but it seems with the recent updates to browsers that this functionality no longer works. If you do a BASIC_AUTH_FORCE and try to secure your entire application, it constantly pops up the user/password box on any route that you go to. My guess would be that it's not storing the authorization header correctly anymore?
If I use @required that seems to work fine, but anything beyond that breaks. In my application I do config from object, but I don't think that's what's causing the bug?
Hi, would you be interested in a patch that adds support for excluding certain routes when BASIC_AUTH_FORCE = True
? I want to protect all endpoints with the exception of for example /healthcheck
.
return password == "password" is vulnerable to timing attacks. Something like https://github.com/PeterScott/streql should be used to prevent them.
I can make a PR if you want.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.