How can a single HTTPAuth setup used within multipe blueprints? I tried to configure it within the init.py of my package and import it within my subpackages. But this is a circular dependency.

__init__.py imports blueprint xy.py, which itself imports init.py, because of auth.

I see the authorization token has to be prepended by a keyword such as 'Bearer', 'JWT' or 'Token' etc.
It seems to me that this does not add anythings besides making the request header less understandable and more prone to errors. Could you add the option, either by setting the default to 'none', or a keyword/boolean to say you're not sending a prefix with the token?

Hi,
I'm running in a strange problem running basic auth on flask on gevent WSGI.
Authentication works flawlessly for standard requests but as soon as I'm asking for request arguments (either GET or POST) i'm running into errors in the login_required method
Do you know if there's something to modify gevent to let authentication run correctly with GET/POST requests?

Thanks
Sebastien

Hi,
Maybe i did something wrong, but i try to use HTTPBasicAuth with custom scheme and i am not able to get it work.
In my python script, i have:

from flask.ext.httpauth import HTTPBasicAuth
auth = HTTPBasicAuth("FooBar")

Client-Side, The header's Authorization line is the concatenation of scheme and Base64 coded of username:password string:
Authorization:FooBar cXNkcXNkcWQ6ZHNmZGZkZnM=

When the @auth.verify_password function is called, the two parameters are empty (NoneType). But if i set the scheme with default scheme('Basic'), these parameters are good.

Did i miss something ?

Issue 2 makes it seem that python3 is supported. To signal that this package supports python3, please add the following line to the classifiers in the package's metadata: "Programming Language :: Python :: 3".

Flask-HTTPAuth is one of the last packages blocking my move to python3, so if formalities are the only problem here that would be wonderful!

A failure in the authentication process can be:

• No Authorization header given
• Wrong scheme given
• Wrong or missing header data
• Wrong or not given nonce, opaque, etc... (for HTTPDigestAuth)

Although in production there is not that much gain distinguishing them, in development, much more in quality environment it is good to know and log exactly what is happening inside the application and, when an authorization fails, to know what was the cause.
As it is now, the developer that uses this can only know if the login has failed or succeeded or if there was a problem somewhere between the headers parsing and developer's code.

In my situation, I need to have two programs communicating between each other where I have control over my program but no control over the program that uses this. And so, currently, with it failing, I have no idea if the other program is not sending Authorization, if it is not sending the right scheme in the authorization or if it is sending an empty token (I'm using HTTPTokenAuth).

There are solutions such as logging the Authorization header for a human to read but I really rather just have it done automatically in the response (AKA avoid wasting time with e-mails back and forward).

Any suggestions?

Have you considered changing this module to support hashed passwords? A simple function that mutated the HTTP provided password before it was compared against the password obtained from @auth.get_password would do the trick. Perhaps a decorator called @auth.hash_password?

This would let you use Basic Auth over SSL and provide much stronger hashing than what's built into HTTP Digest, and prevent your service from storing plaintext passwords in the DB.

It would be nice to disable http basic auth when set flask.app.test as True

The license included in the repo and specified in setup.py is the MIT license but in the classifiers section of setup.py it says BSD as it also does in flask_httpauth.py

I have recently started using flask-httpauth on a project. Something that jumped out at me is setting the current user into the flask g thread-local object via something like g.current_user = user inside verify_password and verify_token.

Would it make sense to create a new decorator, something like @auth.current_user, which takes a callback that returns the current user? This callback can then be used to inject the current user as a parameter into the callbacks for the other flask-httpauth decorators, e.g. @auth.verify_password as well as @auth.login_required.

I think it would be nice to be able to just receive the current user as a parameter and remove the need to use flask's g object.

Below is a simplified example just to illustrate the idea:

def login_required(f):    
    user = "jane" # in reality obtain the user from the callback

    @wraps(f) 
    def __decorated_function(*args, **kwargs):    
        new_args = (*args, user) # inject user into parameters to `f`
        f(*new_args, **kwargs)
    
    return __decorated_function

For example,

@auth.verify_password
def verify_password(email_or_token='', password=''):
    pass

@app.route('/users/<username>/', methods=['GET','POST','PUT','DELETE'])
@auth.login_required
def user_all(username):
    # general info
    # allowing auth with username+password or token
    pass

@app.route('/users/<username>/tokens/', methods=['POST', 'DELETE'])
@auth.login_required
def user_token(username):
    # manage tokens
    # only allowing auth with username+password
    pass

In the above routes (resources), I would like to:
allow users manage general info using username+password or tokens,
allow users manage tokens using username+password, but NOT tokens here.

In fact, GitHub API is designed like this. :-)

Is there any way to do this with Flask-HTTPAuth?

The way the logged in username is made available to view functions does not work for multi-threaded servers (multi-process servers are okay).

Hi!

I'm having a similar problem as this one:

https://www.digitalocean.com/community/questions/flask-and-http-basic-authentication

In my machine everything works as it should, but when I try it in the production server, when I try to access a page where authentication is needed, the auth prompt keeps popping up, even after inserting the correct user and password.

Info about the machine in which there are problems:

uname -a
Linux chronos 2.6.32-431.17.1.el6.x86_64 #1 SMP Wed May 7 23:32:49 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux

cat /etc/issue
CentOS release 6.5 (Final)

apachectl -V
Server version: Apache/2.2.15 (Unix)

Hey Hi! First of all I'm not an experienced Python user (but I'm not a novice) and I hope someone can help me with the installation.
My problem is that when I use pip install Flask-HTTTPAuth it doesn't work. (Use WinPython Command Prompt to execute this code)
Here is the error: It was not possible to find a version that satisfies the Flask-HTTPAuth requirement (from versions:)
No distribution found that matches Flask-HTTTPAuth

Is there another methodology to install the extension? Am I doing something wrong?

Best regards and thank you in advance

Hi,

I had some issues with Python 3.3 and hashlib as it seems that hashlib is now requiring a byte stream.

Let me know if this makes sense.

Cheers.

Diff below:

diff --git a/flask_httpauth.py b/flask_httpauth.py
index bdd8f95..55012a5 100644
--- a/flask_httpauth.py
+++ b/flask_httpauth.py
@@ -76,7 +76,7 @@ class HTTPBasicAuth(HTTPAuth):

 class HTTPDigestAuth(HTTPAuth):
     def get_nonce(self):
-        return md5(str(random())).hexdigest()
+        return md5(str(random()).encode('utf-8')).hexdigest()

     def authenticate_header(self):
         session["auth_nonce"] = self.get_nonce()
@@ -89,9 +89,9 @@ class HTTPDigestAuth(HTTPAuth):
         if auth.nonce != session.get("auth_nonce") or auth.opaque != session.get("auth_opaque"):
             return False
         a1 = auth.username + ":" + auth.realm + ":" + password
-        ha1 = md5(a1).hexdigest()
+        ha1 = md5(a1.encode('utf-8')).hexdigest()
         a2 = request.method + ":" + auth.uri
-        ha2 = md5(a2).hexdigest()
+        ha2 = md5(a2.encode('utf-8')).hexdigest()
         a3 = ha1 + ":" + auth.nonce + ":" + ha2
-        response = md5(a3).hexdigest()
+        response = md5(a3.encode('utf-8')).hexdigest()
         return response == auth.response

The docs state that the scheme parameter to HTTPTokenAuth class is required, but in source it looks like it's optional (scheme="Bearer")?
https://github.com/miguelgrinberg/Flask-HTTPAuth/blob/master/docs/index.rst#welcome-to-flask-httpauths-documentation

Under certain conditions flask_httpauth may cause the OS to cause a connection reset (RST) instead of the expected clean socket shutdown (FIN). There are various discussions around the Internet about this situation but basically if the kernel receive buffer has data in it when it receives the close request, the OS will send a RST packet instead of the normal FIN. This causes the client side to discard the response and typically return a "(104) Connection reset by peer." In our case that means the client would regularly see a connection reset instead of the expected return code of 401 and message of EXPIRED TOKEN.

The issue is that that flask_httpauth can access the headers and determine the token is invalid before the entire request has been read out of the kernel buffer. Runing gunicorn on a fast Centos server we can easily get a 30% failure rate. We have proven this with Centos and .Net clients. The proposed fix is to simply read the request.data property before we start the close sequence to ensure Flask has finished reading the entire HTTP request and the kernel buffer is empty.

I try to use curl to debug my app ,
I use this command to my URL with token_verify based on
curl -H "Authorization token:eyJhbGciOiJIUzI1NiIsImV4cCI6MTQ2NDA1NTg2OSwiaWF0IjoxNDY0MDU1MjY5fQ.eyJpZCI6bnVsbH0.4Oe60fyM8t6BvPvdZWlNqCO3ZKXW5HHsjVmoaUkp-1E" http://127.0.0.1:5000/app/star/0
I'm sure of the token and url is true, but when I'm debug ,I find that @token_auth.verify_token function receive an None token,so How to send a token when I using HTTPTokenAuth

pallets/flask#1135

Use from flask_foo import bar instead of from flask.ext.foo import bar.

The documentation gives this example:

@auth.hash_password
def hash_pw(password):
    return md5(password).hexdigest()

But this code raises two exceptions:

TypeError: hash_pw() takes 1 positional argument but 2 were given

After the above is fixed:

...
    return hashlib.sha512(password).hexdigest()
TypeError: Unicode-objects must be encoded before hashing

The following code works:

@auth.hash_password
def hash_pw(username, password):
    return hashlib.sha512(password.encode("utf8")).hexdigest()

I am using Python 3.7 and Flask is served through gevent.

Thanks!

I'm refactoring some code, and having problems getting flask-httpauth to work when everything's not in the same file.

in my flask app I have my init where imports live, and I've tried putting my verify_password def here.
I have one file/class per route, and I'm having a hard time understanding how to wire everything up.

An example based on a more real-life setup would be super-helpful.
Here's my code atm:
https://github.com/trondhindenes/flansible/tree/e51201b3f89cab90c9d704c6d4050e27febfeaef

How can I check if a user is logged in (the route has no login_required decorator)?

I tried to test if g.user is not None, but I receive following error:

AttributeError: '_AppCtxGlobals' object has no attribute 'user'

For example, I am building a twitter-like website. I would like the website has these responses:

curl https://localhost/home
# => return a public timeline
curl -u username:password https://localhost/home
# => return the personal timeline

However, if I write code like this:

@app.route('/home')
@auth.login_required
def home():
   pass

I would get:

curl https://localhost/home
# => 401 error (default in Flask-HTTPAuth)

After passing basic authentication in verify password, is it possible to retrieve the user param within a put/get function so that I can check if it has relevant permissions in my database? (thereby altering the data that is returned). One way seems to be creating different auth objects and callbacks, but this could get messy.

Correct me if I'm wrong, but since flask.session uses cookies and HTTPDigestAuth uses sessions
to hold the nonce, the client-supplied nonce from the authentication header is simply checked against another client-supplied nonce (from the cookie), making it insecure. An attacker sniffing the network can always forge a cookie and so duplicate the same nonce. The same goes for the opaque for that matter. I think the nonce/opaque to check against should be retained fully server-side.

I am trying to incorporate basic authentication as shown in this link

https://github.com/miguelgrinberg/Flask-HTTPAuth/blob/master/examples/basic_auth.py

in my flask app. The app is deployed on Heroku. The error I keep getting is

@auth.verify_password 
AttributeError: 'function' object has no attribute 'verify_password'

Below is my code

import urllib
import json
import os
import string
import random

from flask import Flask,render_template,request
from sqlalchemy import create_engine, asc
from sqlalchemy.orm import sessionmaker
from database_setup import Base, User
from flask import Flask,render_template
from flask import request
from flask import make_response
from flask import session as login_session
from flask import make_response
from flask_httpauth import HTTPBasicAuth
from werkzeug.security import generate_password_hash, check_password_hash

@auth.verify_password
def verify_password(username_or_token, password):
    #Try to see if it's a token first
    user_id = User.verify_auth_token(username_or_token)
    if user_id:
        user = session.query(User).filter_by(id = user_id).one()
    else:
        user = session.query(User).filter_by(username = username_or_token).first()
        if not user or not user.verify_password(password):
            return False
    g.user = user
    return True

Below is the traceback

2017-02-14T19:28:58.375416+00:00 heroku[web.1]: State changed from crashed to starting
2017-02-14T19:29:01.124995+00:00 heroku[web.1]: Starting process with command `python test.py`
2017-02-14T19:29:04.255161+00:00 heroku[web.1]: Process exited with status 1
2017-02-14T19:29:04.127534+00:00 app[web.1]: Traceback (most recent call last):
2017-02-14T19:29:04.127556+00:00 app[web.1]:   File "test.py", line 234, in <module>
2017-02-14T19:29:04.127594+00:00 app[web.1]:     @auth.verify_password
2017-02-14T19:29:04.127622+00:00 app[web.1]: AttributeError: 'function' object has no attribute 'verify_password'
2017-02-14T19:29:04.299349+00:00 heroku[web.1]: State changed from starting to crashed
2017-02-14T19:29:04.300161+00:00 heroku[web.1]: State changed from crashed to starting

My requirements.txt file contains the following

click==6.7
Flask==0.12
httplib2==0.9.2
itsdangerous==0.24
Jinja2==2.9.4
MarkupSafe==0.23
passlib==1.7.0
SQLAlchemy==1.1.5
virtualenv==15.1.0
Werkzeug==0.11.15
Flask-HTTPauth==3.2.2

Can someone help me figure out what the issue is? I have all the correct imports as suggested on the GitHub example and also have them correctly mentioned in my requirements.txt file. Thanks in advance.

When using HTTPDigestAuth as follows

    @auth.hash_password
    def hash_pw(password):
        return pwd_context.encrypt(password)


    @auth.get_password
    def get_pw(login):
        account = Account.query.filter_by(login=login).first()
        if account:
            return account.password
        return None


    @auth.verify_password
    def verify_password(login, password):
        account = Account.query.filter_by(login).first()
        if not account:
            return False
        return pwd_context.verify(password, account.password_hash)

you get the above stated error. This is obviously caused by class HTTPDigestAuth(HTTPAuth) as it inherits from HttpAuthnot HttpBasicAuth.

Hey, sorry if this is dumb, but I am pulling my hair out over issues with digest auth and this library.
I copied the example from the readme, and just added host='0.0.0.0' to the app.run to access it from my desktop (running on server). I brought up the url i chrome, tried logging in as john with password hello. First time it worked. Then I tried in an incognito tab, and I only get 401s after that. Tried with

curl -v --digest -u "john:hello" host:5000/

Get 401 there as well. Is there some special trick I'm missing for digest auth?

I'm wanting to apply auth to a project based off this https://github.com/vmw-loginsight/webhook-shims.

The auth would be configured in the __init__.py and imported into the modules for each set of routes.

any assitance would be appriciated.

Recently I use flask + uwsgi + nginx to make a server and I use Flask-HTTPAuth
to do the digest auth in flask.
Most ot time it works fine but when I do a large post (let's say 3M) then I got 502 error in browser.
nginx error:

[error] 3438#0: *16 sendfile() failed (32: Broken pipe) while sending request to upstream, client: 203.100.xx.xx, server: xxxx.net, request: "POST /create_invitation HTTP/1.1", upstream: "uwsgi://unix:/xxxxr/uwsgi.sock:

I search a lot on google to solve it but didn't success until I close the http auth.
And it works well now. So should I move http auth from flask to nginx ?

I guess flask-httpauth close the connection after it sends 401 ? So nginx got error ?

thanks

Is it by design that, for all requests, the callback user function decorated with @auth.verify_token is called for the AuthToken?
If so, why?

I need to capture the original error and pass it along as reply.
Is it possible to get actual error object in error_handler?

I want to implement the following feature:
When the user want to post data，redirect to login page if he doesn't pass the authorization;
When the user want to fetch data，return part of the resource if he doesn't pass the authorization;
Can I define different error_handler?
Sorry for my poor English.

I followed your REST tutorials and I am trying to build on top of your User token authentication REST app.

In addition to checking for valid login credentials I am trying to restrict some REST resources to only admins.

Is this supported? Can you have multiple verify_password functions with different decorators?

I must be missing something obvious. I create a user and send back and auth token. After that I am using postman to access a protected route with that auth token, but the token is null. Here is some code:

Create the user:

@api.route('/users', methods=['POST'])
def create_user():
    print('create user')
    user = User(email='[email protected]', password='test')
    if(user.validate_email()) :
        db.session.add(user)
        db.session.commit()
        return jsonify({ 'user': user.to_json(), 'token' : user.generate_auth_token(3600) })
    return jsonify({'error': 'email already taken' })

user model:

def generate_auth_token(self, expiration=600):
        s = Serializer(current_app.config['SECRET_KEY'], expires_in=expiration)
        return s.dumps({'id': self.id}).decode('utf-8')

protected route:

@api.route('/users', methods=['GET'])
@auth_token.login_required
def get_users():
    users = User.query.all()
    return jsonify({'users': [user.to_json() for user in users] })

Verify token method on user model: This is where I get nothing in the token print and ultimately a bad signature

@staticmethod
    def verify_auth_token(token):
        print('### verifying')
        print(token)
        s = Serializer(current_app.config['SECRET_KEY'])
        try:
            data = s.loads(token)
        except SignatureExpired:
            print('### expired')
            return None    
        except BadSignature:
            print('### bad signature')
            return None   
        user = User.query.get(data['id'])
        return user

I guess I'm a bit confused on how this works. the HTTPBasicAuth() object has a decorator method called login_required which always hits the verify_auth_method on the object? Can you please explain this?

Finally, my auth token is sent in a header :

{ Content-Type: application/json, Authorization : myToken}

In e.g. token_auth.py (and several other places) the term JWT is used for the tokens generated. These tokens are generated with the itsdangerous TimedJSONWebSignatureSerializer.
The thing is, these are not JWT tokens, but JSON Web Signatures (JWS, see https://pythonhosted.org/itsdangerous/ ).

Remedy: Don't use the term JWT for these tokens.

Using MultiAuth (basic+token) and I'm getting an error when not providing a scheme in the Authorization header.

For instance a http :5000/api/ "Authorization: $TK" will throw a 500 error:

scheme, creds = request.headers['Authorization'].split(None, 1)
ValueError: need more than 1 value to unpack

Using try-catch to bypass the exception might be one quick solution. Thoughts?

How to logout ?
logout feature missing ..

I have the auth working successfully, but want to apply to several different views.py.

Can I wrap the following in a class like:

from flask_httpauth import HTTPBasicAuth
def api_authenticate():
   
   @auth.get_password
   def get_password(username):
        if username == app_.config['USER']:
            return app_.config['PASSWORD']
    return None

    @auth.error_handler
    def unauthorized():
       return make_response(jsonify({'error': 'Unauthorized access'}), 401)

and then call

@api_authenticate 
def my_authenticated_view():
    return jsonify({"success": True})

as a decorator on a method in a view?

i.e. avoiding browser popups for 401

Could we please add the license to MANIFEST.in so that it will be included in sdists and other packages?

cc @synapticarbors @msarahan

Hi I'm having an issue passing in an already hashed password, it seems to stop at the login required decorator. All I'm trying to do is :

@app.route('/api/v2/token')
@auth2.login_required
def get_auth2_token():
    token = generate_auth_token(g.userV2.id, 600 * 10)
    return jsonify(
        {
            'token': token.decode('ascii'),
            'duration': 600 * 10
        })

while sending this request:

r = requests.get(
        url + '/api/v2/token',
        auth=(user.email, str(user.password)))

where user.password is an already hashed password. Before I was passing in a SHA1 hashed password and it works with no issues, then I tried upgrading the hashing to a BCrypt hash, it seems to always stop/timeout and not even enter the method itself. Is there something I am missing here?

My app implements a shopping cart in which anonymous users can fill their cart with products. User Login is required only before payment. How can this be implemented?

Hi,

I use digest auth. I wonder if I could see if I logged or not in templates.

Would be nice to get 044b7d4 on PyPi, since that issue bites anyone building REST APIs to be consumed on the browser.

Please, warn that in the documentation, please. I got crazy with that ;-)

@app.route("/api/user/", methods=['GET'])
@auth.login_required
def get_users():
    bla....

will return good response. But

@auth.login_required
@app.route("/api/user/", methods=['GET'])
def get_users():
    bla....

has no effects.

Hi,

Thanks for this library!

I have a route that users call in order to get objects (/api/get_object). The issue is that some objects are public while others are private. Therefore, I want to return forbidden if the user is not logged in and asks for a private object. Only logged in users can get private objects (in reality only the owner of the object can get it, but I omitted this to keep the example as simple as possible). What is the best way of doing this?

I was thinking in two options:

1- Make a public and a private route: /api/get_object and /api/get_object_private.
When the user request a private object, the request is redirected to /api/get_object_private, which has the @auth.login_required decorator. This is not a very elegant solution because I have to duplicate all the routes where this kind of stuff happens.

2- To have only one route, and in case the requested object is private, to check if "g.user" is defined and return forbidden if it is not (although I am not sure about the security of this option or how to check if g.user is defined)

But I was thinking that maybe there is just a way of calling auth.login_required within the function of the route. Is it?

Thank you!

Went to check what changed before updating and saw the changelog doesn't have the lastest releases.

If we implement @auth.get_password as described in the doc:

@auth.get_password
def get_pw(username):
    if username in users:
        return users[username]
    return None

When the user logs in with an invalid user name, the script with raise an error:

  File ".../env/lib/python3.3/site-packages/flask_httpauth.py", line 52, in decorated
    if not self.authenticate(auth, password):
  File ".../env/lib/python3.3/site-packages/flask_httpauth.py", line 108, in authenticate
    a1 = auth.username + ":" + auth.realm + ":" + password
TypeError: Can't convert 'NoneType' object to str implicitly

(BTW the test suite does not catch this because it simply makes every invalid user's password being 'other'. This is totally wrong, and should return some non-string to indicate unconditional rejection.)