We will see an example on how to secure REST API using Python Flask. We will create a Python Flask HTTP Basic Authentication. Most of the web services that require authentication accept HTTP Basic Authentication. This is the simplest one, and request supports it straight out of the box.
This HTTP basic authentication is not recommended as it is vulnerable to security threats.
Python 3.7.4, Flask 1.1.1, Flask-HTTPAuth 3.3.0
Setting Up Environment
Make sure you have the required environment setup by installing Python, Flask (
pip install flask) and Flask-HTTPAuth (
pip install Flask-HTTPAuth).
Creating REST API
Create REST API using Flask framework in the file rest.py.
from flask import Flask from flask import jsonify from flask_httpauth import HTTPBasicAuth app = Flask(__name__) auth = HTTPBasicAuth() @app.route('/rest-auth') @auth.login_required def get_response(): return jsonify('You are authorized to see this message') if __name__ == "__main__": app.run()
In the above file we imported the required modules. Notice we have imported
HTTPBasicAuth for authenticating REST API.
We are creating new instance
We are using a decorator
@auth.login_required to ensure only logged in users can access the REST resource.
We are applying HTTP Basic Authentication on HTTP GET method or request on the end-point
Running the Application
Just execute the above file from command line tool using command
Your server will be started on host – localhost and port – 5000.
Accessing the REST API
Now if you try to access the REST API (http://localhost:5000/rest-auth), let’s say using Postman tool then you will get Unauthorized Access.
We will next see how to handle user authentication part.
Handling User Authentication
Generally user information is stored into a persistence storage but for simplicity we will check the credentials against hard-coded values.
Remember it is never recommended to check password against plain text and always you need to apply a strong encryption mechanism for security purpose. It is also recommended to store password into database or some persistence storage.
Flask-HTTPAuth will handle authentication for us. We just need to let flask know how to authenticate the user with his or her username and password.
@auth.verify_password decorator is used to register a function that takes the username and password as parameters and verifies if the username and password are correct and based on its return value,
Flask-HTTPAuth handles the user’s authentication.
We will add another method
@auth.verify_password decorator as shown in the below code snippets. This function is written into the same file – rest.py.
@auth.verify_password def authenticate(username, password): if username and password: if username == 'roy' and password == 'roy': return True else: return False return False
In the above function we check the username and password against the hard-coded values and return True or False accordingly to verify a user.
Testing the Application
Now we have added required code for verifying the user credentials. Now we will test again our application.
Make sure to pass username and password while you are accessing the REST API as shown in the below image:
Now you are able to access the REST API.
Thanks for reading.