Flask RESTful API并为特定用户进行身份验证 [英] Flask RESTful API and authenticating for a specific user
问题描述
我想根据谁在进行身份验证,从/ api / users / [user_id]返回一个JSON用户对象的不同子集。因此,如果用户爱丽丝试图访问/ api / users /爱丽丝,她将获得更多的她的信息(如私人设置等),比简单地得到她的公众形象的用户bob。 >
我正在使用httpbasicauth的flask_restful。现在我有以下几种:
pre code> class UserAPI(flask_restful.Resource):
@ g.auth.login_required
def get(self,username):
#这里是我要获取HTTPBasicAuth用户名
#的位置,以确定返回多少数据
user = User。对象(username = username).exclude('password')。first()
如果用户不是None:
return user.to_json()
else:
flask_restful.abort(404,message ='User not found:'+ username)
问题是我似乎无法弄清楚获取HTTP基本身份验证数据的方法。我知道我可以解析请求并解码base-64数据,但我觉得我不应该这样做。或者,甚至更好的办法是将user_id从/ api / users / [user_id]传递到login_required注释。
我觉得这是一个很常见的用例,所以我不明白为什么我在这个领域找不到任何东西。我的设计完全错了吗?
非常感谢!
我建议不要使用flask.ext.httpauth。我没有觉得它非常有用。我使用一个装饰器来获取授权标题,并使用数据库进行检查。您可以访问在request.authorization.username中输入的用户名,密码在request.authorization.password。
from flask import请求来自flask.ext.restful的
导入abort,来自functools的资源
导入包装
$ b $ def require_auth(f):
@wrap(f)
def装饰(* args,** kwargs):
auth = request.authorization
如果不是auth:
abort(401)
user = User.objects(username = auth。用户名).first()
auth_ok = False
如果用户!=无:
auth_ok = verify_password(auth.password)== user.password
如果不是auth_ok:
返回abort(401)
返回f(* args,** kwargs)
返回装饰
类UserAPI(资源):
@ require_auth
def get(self):
user = User.objects(username = request.authorization.username).\
exclude('password')。first()
如果用户不是None:
返回user.to_json()
else:
abort(404,message ='User not found:'+ username)
I am relatively new to RESTful API, so it is certainly possible I am not designing this correctly.
I want to return a different subsets of a JSON user object from /api/users/[user_id] based on who is authenticating. So if the user "alice" is trying to access /api/users/alice, she would get much more of her info (such as private settings, etc) than user "bob" who would simply get her public profile.
I am currently using flask_restful with httpbasicauth. Right now I have the following:
class UserAPI(flask_restful.Resource):
@g.auth.login_required
def get(self, username):
# here is where I want to get the HTTPBasicAuth username
# to determine how much data to return
user = User.objects(username=username).exclude('password').first()
if user is not None:
return user.to_json()
else:
flask_restful.abort(404, message='User not found: ' + username)
The issue is that I cannot seem to figure out a CLEAN way to get the HTTP basic auth data. I know I could parse the request and decode the base-64 data, but I feel I shouldn't have to do that. Or, even better, find a way to pass the user_id from /api/users/[user_id] into the login_required annotation.
I feel this is would be a very common use case so I can't figure out why I can't find anything in this area. Am I designing this completely wrong?
Thanks very much!
I suggest not using flask.ext.httpauth. I didn't find it very useful. I use a decorator that takes the Authorization header and checks it with the db. You can access the username entered in request.authorization.username and the password is in request.authorization.password.
from flask import request
from flask.ext.restful import abort, Resource
from functools import wraps
def requires_auth(f):
@wraps(f)
def decorated(*args, **kwargs):
auth = request.authorization
if not auth:
abort(401)
user = User.objects(username=auth.username).first()
auth_ok = False
if user != None:
auth_ok = verify_password(auth.password) == user.password
if not auth_ok:
return abort(401)
return f(*args, **kwargs)
return decorated
class UserAPI(Resource):
@requires_auth
def get(self):
user = User.objects(username=request.authorization.username).\
exclude('password').first()
if user is not None:
return user.to_json()
else:
abort(404, message='User not found: ' + username)
这篇关于Flask RESTful API并为特定用户进行身份验证的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
