security_monkey
security_monkey copied to clipboard
Netflix
Remote API Usage
The documentation doesn't talk about how to use the SM API remotely. When calling the API from a remote host, the python module for SM requires 'SECURITY_MONKEY_SETTINGS' variable be set. It might be worth updating the docs to reflect this setup.
Good news: You would end up using the same REST API the Angular app is using.
Bad news: Flask-Security-Fork has an (odd) method for API access; it requires disabling CSRF protection. http://mandarvaze.github.io/2015/01/token-auth-with-flask-security.html ^ Note the section on disabling CSRF:
# Without this get_auth_token via POST request w/ JSON data does not work
# You keep getting "CSRF token missing" error
WTF_CSRF_ENABLED = False
So, if there's a way to disable CSRF JUST on the endpont required to get the authorization_token, that would be the ideal scenario. We would likely need to sprinkle auth_token_required decorators on the REST endpoints and make sure the auth-Z still works as expected.
It would also be nice if you could generate the tokens in the Users table under settings.
If this is simpler than I'm making it out to be, please let me know. I've had a number of requests to use the API from other apps, and I hate having them send session cookies. It's dirty.
If it's using Flask-WTF under the hood it seems like this could probably be done by exempting the auth token view from CSRF.
http://flask-wtf.readthedocs.io/en/stable/csrf.html#exclude-views-from-protection
@app.route('/foo', methods=('GET', 'POST'))
@csrf.exempt
def my_handler():
# ...
return 'ok'
