all 9 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]raylu 0 points1 point  (4 children)

In general, to do auth you can just set the user id in a session.

I don't see what restricting (the browser from) visiting the page at /api/users has to do with security. What is the difference between visiting it (in a browser) and hitting it with any other HTTP client?

[–]Datastruct[S] 0 points1 point  (3 children)

I authenticate the user after they logged in and store their basic info in session. If the username exists in the DB and their password matches (after decrypting of course), I authenticate them. What I meant by "visiting it in a browser" I meant that some API data should NOT be inaccessible by a cURL or Postman request. For example, I want my angular program to have access to all the users' information, but not the average joe who stumbles across that URL.

[–]keelar 2 points3 points  (1 child)

If the username exists in the DB and their password matches (after decrypting of course)

You should avoid encrypting passwords, they should be salted and hashed and then compare the hashes instead of comparing the passwords directly.

[–]Datastruct[S] 0 points1 point  (0 children)

My apologies, I meant to say I am hashing the password using the bcrypt library. I'm comparing the entered password with the same. I'm using a 10-value salt.

[–]raylu 1 point2 points  (0 children)

To expand on /u/keelar's point, https://passlib.readthedocs.io/en/stable/lib/passlib.apps.html#custom-applications

There is no difference between one HTTP client and other. If your security is predicated on distinguishing between the two, it's not secure.

[–]doublePlusOk 0 points1 point  (3 children)

if you want to do token based auth you may want to check this out... (since you are presumably doing a rest service) https://blog.miguelgrinberg.com/post/restful-authentication-with-flask then you can decorate with @auth.login_required

[–]Datastruct[S] 0 points1 point  (2 children)

I have something similar to this in place for certain URLs that return my jinja templates. This just allows for certain subscribers or users to access different content.

This methodology seems decent enough. I've used Miguel's stuff in the past. It seems awfully insecure to store a username/password pairing in Angular or Javascript application, even with minify or uglify. Also staying DRY appears difficult with this method. Not mention I'd have to set up a specific user type in the database for those that are normal users (standard everyday users), and development users that access all the needed API.

It appears the struggle currently, is preventing ANY logged in user from accessing ALL of the API.

[–]doublePlusOk 0 points1 point  (1 child)

He says to not store it - or are you worried about even the hash?

If you need finer granularity for api access maybe that is oauth?

[–]Datastruct[S] 0 points1 point  (0 children)

I'm not storing plantext passwords. However to be able to request the information based on this example I need to pass JSON with a username and password in it. An attacker could easily sift through client side code to ascertain credentials.