在烧瓶中保护RESTapi [英] Securing RESTapi in flask

问题描述

我正在使用的应用程序使用了大量的ajax调用。不幸的是，在研究如何限制对API的访问时，我遇到了一个障碍。例如：

• 我有一个ajax调用 http：// site / api / tasks / bob
  
  i需要确保只有bob登录才能读取该表
  （否则有人知道该模式可能会要求查看bob的
  任务，只需在浏览器中输入url即可）。


• 在不同的页面上，同一个表需要能够调用 http：// site / api / tasks / all 并显示所有用户的任务（只有管理员应该可以这样做）

感谢您的阅读时间和答案。 / div>

这个千足的视图是你需要通过以下方式认证用户： //en.wikipedia.org/wiki/Basic_access_authenticationrel =noreferrer> basic 或摘要）。
$ b B）服务器端会话。 （用户验证并接收会话密钥 - 他们的用户信息存储在服务器上的会话后端，附加到该密钥一旦他们有一个会话，他们可以让请求通过他们的会话密钥给你（在URL或在一个cookie），他们有权访问的信息会返回给他们。）

Flask有一对有用的扩展，处理这种事情的很大一部分 - 检查 Flask-Login 和 Flask-Principal 查看示例如何将授权添加到Flask应用程序。

The app I'm deving uses a lot of ajax calls. Unfortunately I hit a snag when researching on how to restrict access to the api. For example:

• i have table that does an ajax call to http://site/api/tasks/bob
  i need to make sure that only bob, logged in, can read that table (otherwise somebody who knows the pattern might request to see bob's tasks by simply entering the url in the browser).
• on a different page,the same table needs to be able to call http://site/api/tasks/all and show the tasks of all users (only an admin should be able to do that)

Thank you for your time reading this and maybe answering it.

解决方案

The thousand-foot view is you need to authenticate the user either with:

A) HTTP-Auth (either basic or digest) on each request.

B) Server-side sessions. (The user authenticates and receives a session key - their user information is stored in the session backend on the server, attached to that key Once they have a session they can make requests passing their session key back to you (either in the URL or in a cookie) and the information they have access to is returned to them.)

Flask has a pair of useful extensions that deal with a large part of this sort of thing - check out Flask-Login and Flask-Principal to see examples of how authorization can be added to a Flask application.

这篇关于在烧瓶中保护RESTapi的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！