验证基本身份验证与URL [Flask]

时间:2018-05-31 15:08:11

标签: python-3.x flask-sqlalchemy flask-restful flask-httpauth

基本上,当我需要用户进行身份验证时,我正在混合使用url和Basic Auth中的用户名。

我的完整代码是:

from flask import Flask, request, send_from_directory, g
from flask_restful import Resource, Api
from flask_httpauth import HTTPBasicAuth
from sqlalchemy import create_engine, Column, Integer, String, Boolean
from sqlalchemy.ext.declarative import declarative_base
from sqlalchemy.orm import sessionmaker
from passlib.apps import custom_app_context as pwd_context
import pathlib
import shutil
import os

SUCCESS = 200
UNAUTHORIZED = 401
BAD_REQUEST = 402
INTERNAL_ERROR = 500
INVALID_MEDIA = 415

db_engine = create_engine('mysql://root:mypasswordisembarrassing@localhost/store', echo=True)
Base = declarative_base()


class User(Base):
    __tablename__ = 'users'

    id = Column(Integer, primary_key=True)
    username = Column(String(16), index=True, unique=True, nullable=False)
    password_hash = Column(String(128), nullable=False)
    avatar = Column(Boolean, default=False, nullable=False)

    def hash_password(self, password):
        self.password_hash = pwd_context.encrypt(password)

    def verify_password(self, password):
        return pwd_context.verify(password, self.password_hash)

    def __repr__(self):
        return "<User(username='%s', password='%s', avatar path='%s')>" % (
                            self.username, self.password_hash, self.avatar)

Base.metadata.create_all(db_engine)

Session = sessionmaker(bind=db_engine)
session = Session()

app = Flask(__name__)
app.secret_key = 'the quick brown fox jumps over the lazy dog'
api = Api(app) #blueprint?
auth = HTTPBasicAuth()


@auth.verify_password
def verify_password(username, password):
    u = session.query(User).filter_by(username=username).first()
    if not u or not u.verify_password(password):
        return False
    g.user = u
    return True


class Avatar(Resource):
    def get(self, name):
        u = session.query(User).filter_by(username=name).first()
        assert u.avatar is not None
        if u.avatar:
            send_from_directory('static/u/%s/avatar.png', name) #Aparently Flask should not do this? Apache...
        else:
            send_from_directory('static/defaults/u/avatar.png')
        return "Success", SUCCESS

    @auth.login_required
    def post(self, name):
        u = g.user
        if 'avatar' not in request.files:
            return "No file recieved", BAD_REQUEST
        file = request.files['avatar']
        if file.content_type != 'image/png':
            return "Avatar must be a png", INVALID_MEDIA
        assert pathlib.Path("static").exists()
        pathlib.Path("static/u/%s" % u.username).mkdir(parents=True, exist_ok=True)
        file.save('static/u/%s/avatar.png' % u.username)
        u.avatar = True
        session.commit()
        return "Success", SUCCESS


class Player(Resource):
    def post(self, name):
        password = request.json.get('password')
        if not valid_password(password):
            return "Password needs to be longer than 5 characters", BAD_REQUEST
        u = User(username=name)
        u.hash_password(password)
        session.add(u)
        session.commit()
        return "Success", SUCCESS

    @auth.login_required
    def delete(self, name):
        doomed_user = g.user
        shutil.rmtree('static/u/%s' % doomed_user.username)
        session.delete(doomed_user)
        session.commit()
        return "Success", SUCCESS


def valid_password(password):
    return len(password) >= 6

api.add_resource(Avatar, '/u/<string:name>/avatar.png')
api.add_resource(Player, '/u/<string:name>')

if __name__ == '__main__':
    app.run()

我担心这部分:

class Avatar(Resource):
    def get(self, name):
        u = session.query(User).filter_by(username=name).first()
        assert u.avatar is not None
        if u.avatar:
            send_from_directory('static/u/%s/avatar.png', name) #Aparently Flask should not do this? Apache...
        else:
            send_from_directory('static/defaults/u/avatar.png')
        return "Success", SUCCESS

    @auth.login_required
    def post(self, name):
        u = g.user
        if 'avatar' not in request.files:
            return "No file recieved", BAD_REQUEST
        file = request.files['avatar']
        if file.content_type != 'image/png':
            return "Avatar must be a png", INVALID_MEDIA
        assert pathlib.Path("static").exists()
        pathlib.Path("static/u/%s" % u.username).mkdir(parents=True, exist_ok=True)
        file.save('static/u/%s/avatar.png' % u.username)
        u.avatar = True
        session.commit()
        return "Success", SUCCESS

我想在进行授权时使用变量名称,但如果有人向其他人发送请求并使用他们的凭据,则可能会更改其他用户数据,所以现在我只是使用了这些职能中的授权用户名。

例如:url / u / John -uBill:密码应标记为无效

有没有任何巧妙的方法我可以让@login_required装饰器检查网址是否也有效?我宁愿不在每条受保护路线的开头做if name != u.username: ...

1 个答案:

答案 0 :(得分:1)

您有两种选择。

如果您需要为每条路线执行此操作,则可以将用户名检查添加到verify_password回调函数中:

@auth.verify_password
def verify_password(username, password):
    if username != request.view_args.get('name'):
        return False
    u = session.query(User).filter_by(username=username).first()
    if not u or not u.verify_password(password):
        return False
    g.user = u
    return True

如果您需要将此检查添加到路线的子集中,那么您可以在单独的装饰器中执行此操作,如下所示:

from flask import request, abort
from functools import wraps

def check_username(f):
    @wraps(f)
    def wrapped(*args, **kwargs):
        if auth.username != request.view_args['name']:
            abort(401)
        return f(*args, **kwargs)

然后你可以将装饰器添加到任何需要它的路线:

class Avatar(Resource):
    # ...

    @auth.login_required
    @check_username
    def post(self, name):
        # ...