security_monkey
security_monkey copied to clipboard
Token based authentication
Security monkey should have some way to access it's API programatically. The simplest way to do this would allow a user to create an an API token. That could be passed on each request.
Optional extras: -Allow that token to be revoked -Link API token to a user such that disabling a user would disable their associated tokens
Flask-Security claims to have built-in token authentication:
https://pythonhosted.org/Flask-Security/features.html
However, after reading into it more, it seems to be sub-par:
http://mandarvaze.github.io/2015/01/token-auth-with-flask-security.html
- It requires you to disable CSRF protection. It may be possible to limit this to /login, but still.
- Views must then be decorated with
@auth_token_required
, which seems to break existing access. There may be a way to extendAuthenticatedResource
to allow auth_token wherever a session is allowed.
It seems the vanilla Flask-Security solution won't work. I think a better system would be to have a UI where each user can create/disable/delete an API key and save that in the User field. Then, extend AuthenticatedResource
to check for a authentication_token
header. Admin users would be able to disable/delete any users' tokens.