jpvanhal / flask-basicauth Goto Github PK
View Code? Open in Web Editor NEWHTTP basic access authentication for Flask.
Home Page: https://flask-basicauth.readthedocs.io/
License: Other
flask-basicauth's People
Contributors
Stargazers
Watchers
Forkers
trg mikewallace1979 centum opyate srikiraju adamchainz rhorst r-hu1 oceanpad megahall gnordens ranjankumarpatel anocella mroci ashokdelphia dvincelli hervemignot misza222 md2perpe welomodev lasitha-sparrow ingeniouscoderarchives marcosstefani mdavis-xyz ajeeb-siterx amcclanaghan-kvhflask-basicauth's Issues
Deprecation warning for import of flask-basicauth
Hi,
I'd been getting the following warning repeatedly whenever starting my flask server while working on my app::
1: ExtDeprecationWarning: Importing flask.ext.basicauth is deprecated, use flask
_basicauth instead.
.format(x=modname), ExtDeprecationWarning
* Running on http://0.0.0.0:5000/ (Press CTRL+C to quit)
It was really easy to fix - instead of having::
from flask.ext.basicauth import BasicAuth
I had to write::
from flask_basicauth import BasicAuth
However, I noticed that your documentation is a bit out of date and lists the old method of importing an extension. Can I submit a PR and fix this for you?
Constant-time string comparison to prevent timing attacks
return password == "password" is vulnerable to timing attacks. Something like https://github.com/PeterScott/streql should be used to prevent them.
I can make a PR if you want.
Unable to run tests - dependency issue
I'm trying to run the unit tests, so that I can write a PR.
I can't figure out how. There's no requirements.txt or requirements_test.txt.
setup.py only specifies Flask as a dependency, and no test dependencies.
If I install Flask and run python3 setup.py test, it says:
ModuleNotFoundError: No module named 'flask.ext'
So are the dependencies in setup.py missing something? What do I pip install? Flask-Ext? That library has 1 contributor, no stars, no forks, no issues. Is that the right one?
Can you publish as as wheel as well as sdist?
There are certain security benefits to publishing wheels
# mitigate supply chain risk by using --only-binary
pip install flask-basicauth --only-binary=:all:
It looks like you're using setup.py, so if you add bdist_wheel
python setup.py build sdist bdist_wheel
and then twine upload the .whl file, that would do it.
Thanks!
Basic Auth Force Broken
I've been using Basic Auth for some time, but it seems with the recent updates to browsers that this functionality no longer works. If you do a BASIC_AUTH_FORCE and try to secure your entire application, it constantly pops up the user/password box on any route that you go to. My guess would be that it's not storing the authorization header correctly anymore?
If I use @required that seems to work fine, but anything beyond that breaks. In my application I do config from object, but I don't think that's what's causing the bug?
tests failure: `AssertionError: 401 != 200` and `AssertionError: b'' != b'This view always requires authentication.'`
Hello,
this has been reported in Debian as https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1064764, when running tests with flask-basicauth/0.2.0 i got these errors:
python3.12 -m unittest -v test_basicauth.py; python3.11 -m unittest -v test_basicauth.py;
test_asks_for_authentication (test_basicauth.BasicAuthTestCase.test_asks_for_authentication) ... ok
test_asks_for_authentication_with_custom_realm (test_basicauth.BasicAuthTestCase.test_asks_for_authentication_with_custom_realm) ... ok
test_check_credentials_with_correct_credentials (test_basicauth.BasicAuthTestCase.test_check_credentials_with_correct_credentials) ... ok
test_check_credentials_with_incorrect_credentials (test_basicauth.BasicAuthTestCase.test_check_credentials_with_incorrect_credentials) ... ok
test_requires_authentication_for_all_views_when_forced (test_basicauth.BasicAuthTestCase.test_requires_authentication_for_all_views_when_forced) ... ok
test_responds_with_200_with_correct_credentials (test_basicauth.BasicAuthTestCase.test_responds_with_200_with_correct_credentials) ... FAIL
test_responds_with_200_with_correct_credentials_containing_colon (test_basicauth.BasicAuthTestCase.test_responds_with_200_with_correct_credentials_containing_colon) ... FAIL
test_responds_with_401_with_incorrect_credentials (test_basicauth.BasicAuthTestCase.test_responds_with_401_with_incorrect_credentials) ... ok
test_responds_with_401_without_authorization (test_basicauth.BasicAuthTestCase.test_responds_with_401_without_authorization) ... ok
test_runs_decorated_view_after_authentication (test_basicauth.BasicAuthTestCase.test_runs_decorated_view_after_authentication) ... FAIL
test_sets_default_values_for_configuration (test_basicauth.BasicAuthTestCase.test_sets_default_values_for_configuration) ... ok
test_views_without_basic_auth_decorator_respond_with_200 (test_basicauth.BasicAuthTestCase.test_views_without_basic_auth_decorator_respond_with_200) ... ok
======================================================================
FAIL: test_responds_with_200_with_correct_credentials (test_basicauth.BasicAuthTestCase.test_responds_with_200_with_correct_credentials)
----------------------------------------------------------------------
Traceback (most recent call last):
File "/build/flask-basicauth-0.2.0/test_basicauth.py", line 96, in test_responds_with_200_with_correct_credentials
self.assertEqual(response.status_code, 200)
AssertionError: 401 != 200
======================================================================
FAIL: test_responds_with_200_with_correct_credentials_containing_colon (test_basicauth.BasicAuthTestCase.test_responds_with_200_with_correct_credentials_containing_colon)
----------------------------------------------------------------------
Traceback (most recent call last):
File "/build/flask-basicauth-0.2.0/test_basicauth.py", line 104, in test_responds_with_200_with_correct_credentials_containing_colon
self.assertEqual(response.status_code, 200)
AssertionError: 401 != 200
======================================================================
FAIL: test_runs_decorated_view_after_authentication (test_basicauth.BasicAuthTestCase.test_runs_decorated_view_after_authentication)
----------------------------------------------------------------------
Traceback (most recent call last):
File "/build/flask-basicauth-0.2.0/test_basicauth.py", line 111, in test_runs_decorated_view_after_authentication
self.assertEqual(
AssertionError: b'' != b'This view always requires authentication.'
----------------------------------------------------------------------
Ran 12 tests in 0.024s
FAILED (failures=3)
this happens with both python 3.11 and 3.12; full build logs
flask-basicauth_0.2.0-4_amd64.build.txt
Problem with authentication in Apache
Hi!
I'm having a similar problem as this one, but with this lib:
https://www.digitalocean.com/community/questions/flask-and-http-basic-authentication
In my machine everything works as it should, but when I try it in the production server, when I try to access a page where authentication is needed, the auth prompt keeps popping up, even after inserting the correct user and password.
Info about the machine in which there are problems:
uname -a
Linux chronos 2.6.32-431.17.1.el6.x86_64 #1 SMP Wed May 7 23:32:49 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
cat /etc/issue
CentOS release 6.5 (Final)
apachectl -V
Server version: Apache/2.2.15 (Unix)Is this project abandoned?
Excluding certain routes when BASIC_AUTH_FORCE = True
Hi, would you be interested in a patch that adds support for excluding certain routes when BASIC_AUTH_FORCE = True? I want to protect all endpoints with the exception of for example /healthcheck.
Not supporting https://user:pass@server
I'm trying to figure out if flask-basicauth doesn't support this, or if I'm doing something wrong.
With other http / apache Basic Auth you can get straight to the site through embedding the user/pass into the URL like:
http://user:pass@server
Is this possible? I haven't made it work yet. Below is my code.
`
from flask_basicauth import BasicAuth
app = flask.Flask(name)
CORS(app)
#CORS(app, expose_headers='Authorization'). #Did not work
app.config['BASIC_AUTH_USERNAME'] = 'user'
app.config['BASIC_AUTH_PASSWORD'] = 'pass'
app.config['BASIC_AUTH_FORCE'] = True
basic_auth = BasicAuth(app)
@app.route('/', methods=['GET'])
def hello():
return '''Running'''
`
Handle Protecting Static Files
something like this works, though it needs access to the BasicAuth instance.
class SecuredStaticFlask(Flask):
@basic_auth.required
def send_static_file(self, filename):
return super(SecuredStaticFlask, self).send_static_file(filename)required decorator does not take into account method
I have a scenario where a route should only be protected by basic auth for certain methods:
@app.route("/items", methods=["GET"])
@basic_auth.required
def list_items():
...
@app.route("/items", methods=["POST"])
def create_item():
...That's because POSTing requires a bearer token instead of basic auth:
> GET /items
> Authorization: Basic ...
> POST /items
> Authorization: Bearer ...
However, it seems the required decorator does not take into account the method, so with the code above, both handlers are basic auth-protected.
ImportError: No module named flask_basicauth
I had installed Flask-BasicAuth use:
sudo pip install Flask-BasicAuth
My code looks like this:
from flask import Flask, render_template
from flask_basicauth import BasicAuth
app = Flask(__name__)
app.config['BASIC_AUTH_USERNAME'] = 'john'
app.config['BASIC_AUTH_PASSWORD'] = 'matrix'
app.config['BASIC_AUTH_FORCE'] = True
basic_auth = BasicAuth(app)
@app.route('/')
@basic_auth.required
def secret_view():
return render_template('404.html')
if __name__ == '__main__':
app.run(host='0.0.0.0', port=3000)
But when I run it, The error is.
Traceback (most recent call last):
File "run.py", line 2, in <module>
from flask_basicauth import BasicAuth
ImportError: No module named flask_basicauth
check_credentials not constant time string compare
check_credentials does not use a constant time string comparison method.
This behaviour is unsafe and i think it could lead in a potential timing attack
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. ๐๐๐
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google โค๏ธ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.