Authentication token applies to only one identity
I am using this tutorial to include authentication
in mine app
: http://blog.miguelgrinberg.com/post/restful-authentication-with-flask
At the moment I have the following route
:
@app.route('/checkin/venue/<int:venue_id>', methods = ['POST'])
@auth.login_required
My function is verify_password
very similar to the function mentioned in the tutorial, except I'm referring to my own db
.
The problem is that when I create token
it can be used for multiple venue_id
, even if it token
was generated using the credentials of one venue
.
Is there a way to pass the variable venue_id
to the function verify_password(email_or_token, password)
, so when I call verify_auth_token
, I can check what venue_id
, encoded in the token, actually matches what is done in the call:
@app.route('/checkin/venue/<int:venue_id>', methods = ['POST'])
Thank you for your help.
You don't say it explicitly, but I assume you have it venue_id
in the token, right? If not, you must add it. The marker can store whatever data you want, so add venue_id
in addition to user_id
.
So, you need to compare the venue_id
one given in the url of your request against the one given in the token. And it's easy to do as you can access the place id in your url as request.view_args['venue_id']
.
So, assuming you followed the design in my tutorial, you now have a method User.verify_auth_token(token)
that decodes the token and validates it. You can add an argument to this method, which is venue_id
, and include this validation in the logic of that method.
Then, in your callback, verify_password
you can do something like this:
@auth.verify_password
def verify_password(token, password):
user = User.verify_auth_token(token, request.view_args.get('venue_id', 0))
if not user:
return False
g.user = user
return True
Note that I chose the default 0 for the case of a request that does not contain an argument venue_id
. It's just to avoid a crash. In your checkout function, you can accept venue_id
0, which means this request works for all locations, so in this case you are missing the check in place.
Hope this helps!
source to share