Posted in Flask, Python, Security

Securing REST API: Python Flask HTTP Basic Authentication

Introduction

We will see an example on how to secure REST API using Python Flask. We will create a Python Flask HTTP Basic Authentication. Most of the web services that require authentication accept HTTP Basic Authentication. This is the simplest one, and request supports it straight out of the box.

This HTTP basic authentication is not recommended as it is vulnerable to security threats.

Recommended reading

Prerequisites

Python 3.7.4, Flask 1.1.1, Flask-HTTPAuth 3.3.0

Setting Up Environment

Make sure you have the required environment setup by installing Python, Flask (pip install flask) and Flask-HTTPAuth (pip install Flask-HTTPAuth).

Creating REST API

Create REST API using Flask framework in the file rest.py.

from flask import Flask
from flask import jsonify
from flask_httpauth import HTTPBasicAuth

app = Flask(__name__)
auth = HTTPBasicAuth()

@app.route('/rest-auth')
@auth.login_required
def get_response():
	return jsonify('You are authorized to see this message')
		
if __name__ == "__main__":
    app.run()

In the above file we imported the required modules. Notice we have imported HTTPBasicAuth for authenticating REST API.

We are creating new instance auth from HTTPBasicAuth.

We are using a decorator @auth.login_required to ensure only logged in users can access the REST resource.

We are applying HTTP Basic Authentication on HTTP GET method or request on the end-point /rest-auth.

Running the Application

Just execute the above file from command line tool using command python rest.py.

Your server will be started on host – localhost and port – 5000.

Accessing the REST API

Now if you try to access the REST API (http://localhost:5000/rest-auth), let’s say using Postman tool then you will get Unauthorized Access.

We will next see how to handle user authentication part.

Handling User Authentication

Generally user information is stored into a persistence storage but for simplicity we will check the credentials against hard-coded values.

Remember it is never recommended to check password against plain text and always you need to apply a strong encryption mechanism for security purpose. It is also recommended to store password into database or some persistence storage.

Flask-HTTPAuth will handle authentication for us. We just need to let flask know how to authenticate the user with his or her username and password.

The @auth.verify_password decorator is used to register a function that takes the username and password as parameters and verifies if the username and password are correct and based on its return value, Flask-HTTPAuth handles the user’s authentication.

We will add another method authenticate() with @auth.verify_password decorator as shown in the below code snippets. This function is written into the same file – rest.py.

@auth.verify_password
def authenticate(username, password):
    if username and password:
        if username == 'roy' and password == 'roy':
			return True
		else:
			return False
    return False

In the above function we check the username and password against the hard-coded values and return True or False accordingly to verify a user.

Testing the Application

Now we have added required code for verifying the user credentials. Now we will test again our application.

Make sure to pass username and password while you are accessing the REST API as shown in the below image:

python flask http basic authentication

Now you are able to access the REST API.

Source Code

download source code

Thanks for reading.

1 thought on “Securing REST API: Python Flask HTTP Basic Authentication

Leave a Reply

Your email address will not be published. Required fields are marked *