restful安全认证
Flask-HTTPAuth是一个简单的扩展,它简化了使用Flask路由的HTTP身份验证的使用
pip install Flask-HTTPAuth
认证方式有 Basic 、Digest、token
1.Basic认证
使用HTTP基本身份验证来保护路由
from flask import Flask,jsonify 
from flask_httpauth import HTTPBasicAuth 
from werkzeug.security import generate_password_hash, check_password_hash 
 
app = Flask(__name__) 
auth = HTTPBasicAuth() 
users = { "aaa": generate_password_hash("123"), "bbb": generate_password_hash("456") } @auth.verify_password def verify_password(username, password): if username in users and / check_password_hash(users.get(username), password): return username @app.route('/') @auth.login_required def index(): return "Hello, %s!" % auth.current_user() if __name__ == "__main__": app.run(debug=True)
测试
$ curl  -i http://localhost:5000 
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current 
                                 Dload  Upload   Total   Spent    Left  Speed 
100    19  100    19    0     0     81      0 --:--:-- --:--:-- --:--:--    81HTTP/1.0 401 UNAUTHORIZED 
Content-Type: text/html; charset=utf-8 
Content-Length: 19 
WWW-Authenticate: Basic realm="Authentication Required" 
Server: Werkzeug/1.0.1 Python/3.6.0 Date: Mon, 23 Nov 2020 15:24:26 GMT Unauthorized Access
使用curl时添加 -u (或 – user )
$ curl -u aaa:123 -i http://localhost:5000 
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current 
                                 Dload  Upload   Total   Spent    Left  Speed 
100    11  100    11    0     0     15      0 --:--:-- --:--:-- --:--:--    15HTTP/1.0 200 OK 
Content-Type: text/html; charset=utf-8 
Content-Length: 11 
Server: Werkzeug/1.0.1 Python/3.6.0 
Date: Mon, 23 Nov 2020 15:24:44 GMT Hello, aaa!
将验证添加到获取资源上
from flask import Flask,jsonify 
from flask_httpauth import HTTPBasicAuth 
from werkzeug.security import generate_password_hash, check_password_hash 
 
app = Flask(__name__) 
auth = HTTPBasicAuth() 
users = { "aaa": generate_password_hash("123"), "bbb": generate_password_hash("456") } @auth.verify_password def verify_password(username, password): if username in users and / check_password_hash(users.get(username), password): return username @app.route('/') @auth.login_required def index(): return "Hello, %s!" % auth.current_user() tasks = [ { 'id': 1, 'title': u'Buy groceries', 'description': u'Milk, Cheese, Pizza, Fruit, Tylenol', 'done': False }, { 'id': 2, 'title': u'Learn Python', 'description': u'Need to find a good Python tutorial on the web', 'done': False } ] @app.route("/tasks", methods=['GET']) @auth.login_required def get_tasks(): return jsonify({'tasks': tasks}) if __name__ == "__main__": app.run(debug=True)
测试
$ curl -i http://localhost:5000/tasks 
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current 
                                 Dload  Upload   Total   Spent    Left  Speed 
100    19  100    19    0     0     80      0 --:--:-- --:--:-- --:--:--    80HTTP/1.0 401 UNAUTHORIZED 
Content-Type: text/html; charset=utf-8 
Content-Length: 19 
WWW-Authenticate: Basic realm="Authentication Required" 
Server: Werkzeug/1.0.1 Python/3.6.0 Date: Mon, 23 Nov 2020 15:33:14 GMT Unauthorized Access [email protected] MINGW64 /d/Python/dxfWrite $ curl -u aaa:123 -i http://localhost:5000/tasks % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 317 100 317 0 0 751 0 --:--:-- --:--:-- --:--:-- 751HTTP/1.0 200 OK Content-Type: application/json Content-Length: 317 Server: Werkzeug/1.0.1 Python/3.6.0 Date: Mon, 23 Nov 2020 15:33:19 GMT { "tasks": [ { "description": "Milk, Cheese, Pizza, Fruit, Tylenol", "done": false, "id": 1, "title": "Buy groceries" }, { "description": "Need to find a good Python tutorial on the web", "done": false, "id": 2, "title": "Learn Python" } ] }
2.Digest
使用HTTP摘要式身份验证
from flask import Flask,jsonify 
from flask_httpauth import HTTPDigestAuth 
 
app = Flask(__name__) 
app.config['SECRET_KEY'] = 'key123456' 
auth = HTTPDigestAuth() 
users = { "aaa": "123", "bbb": "456" } @auth.get_password def get_pw(username): if username in users: return users.get(username) return None @app.route('/') @auth.login_required def index(): return "Hello, %s!" % auth.username() tasks = [ { 'id': 1, 'title': u'Buy groceries', 'description': u'Milk, Cheese, Pizza, Fruit, Tylenol', 'done': False }, { 'id': 2, 'title': u'Learn Python', 'description': u'Need to find a good Python tutorial on the web', 'done': False } ] @app.route("/tasks", methods=['GET']) @auth.login_required def get_tasks(): return jsonify({'tasks': tasks}) if __name__ == "__main__": app.run(debug=True)
测试

说明:
a.客户端访问一个受http摘要认证保护的资源
b.服务器返回401状态以及nonce等信息,要求客户端进行认证
c.客户端将以用户名,密码,nonce值,HTTP方法, 和被请求的URI为校验值基础而加密(默认为MD5算法)的摘要信息返回给服务器
d.如果认证成功,则返回相应的资源。如果认证失败,则仍返回401状态,要求重新进行认证
3.token
from flask import Flask, g,jsonify from flask_httpauth import HTTPTokenAuth app = Flask(__name__) auth = HTTPTokenAuth(scheme='Bearer') tokens = { "token1": "aaa", "token2": "bbb" } @auth.verify_token def verify_token(token): if token in tokens: return tokens[token] @app.route('/') @auth.login_required def index(): return "Hello, {}!".format(auth.current_user()) tasks = [ { 'id': 1, 'title': u'Buy groceries', 'description': u'Milk, Cheese, Pizza, Fruit, Tylenol', 'done': False }, { 'id': 2, 'title': u'Learn Python', 'description': u'Need to find a good Python tutorial on the web', 'done': False } ] @app.route("/tasks", methods=['GET']) @auth.login_required def get_tasks(): return jsonify({'tasks': tasks}) if __name__ == '__main__': app.run(debug=True)
测试


原创文章,作者:ItWorker,如若转载,请注明出处:https://blog.ytso.com/tech/pnotes/20456.html
