security_monkey icon indicating copy to clipboard operation
security_monkey copied to clipboard

Published 20 hours ago verified publisher icon Netflix

Token based authentication

Open kevgliss opened this issue 9 years ago • 1 comments

Security monkey should have some way to access it's API programatically. The simplest way to do this would allow a user to create an an API token. That could be passed on each request.

Optional extras: -Allow that token to be revoked -Link API token to a user such that disabling a user would disable their associated tokens

kevgliss avatar Dec 10 '14 22:12 kevgliss

Flask-Security claims to have built-in token authentication:

https://pythonhosted.org/Flask-Security/features.html

However, after reading into it more, it seems to be sub-par:

http://mandarvaze.github.io/2015/01/token-auth-with-flask-security.html

  1. It requires you to disable CSRF protection. It may be possible to limit this to /login, but still.
  2. Views must then be decorated with @auth_token_required, which seems to break existing access. There may be a way to extend AuthenticatedResource to allow auth_token wherever a session is allowed.

It seems the vanilla Flask-Security solution won't work. I think a better system would be to have a UI where each user can create/disable/delete an API key and save that in the User field. Then, extend AuthenticatedResource to check for a authentication_token header. Admin users would be able to disable/delete any users' tokens.

scriptsrc avatar Jul 06 '16 16:07 scriptsrc