Clever Geek Handbook

Authentication token applies to only one identity

I am using this tutorial to include authentication

in mine app

: http://blog.miguelgrinberg.com/post/restful-authentication-with-flask

At the moment I have the following route

:

@app.route('/checkin/venue/<int:venue_id>', methods = ['POST'])
@auth.login_required

My function is verify_password

very similar to the function mentioned in the tutorial, except I'm referring to my own db

.

The problem is that when I create token

it can be used for multiple venue_id

, even if it token

was generated using the credentials of one venue

.

Is there a way to pass the variable venue_id

to the function verify_password(email_or_token, password)

, so when I call verify_auth_token

, I can check what venue_id

, encoded in the token, actually matches what is done in the call:

@app.route('/checkin/venue/<int:venue_id>', methods = ['POST'])

Thank you for your help.

+3


source to share


1 answer


You don't say it explicitly, but I assume you have it venue_id

in the token, right? If not, you must add it. The marker can store whatever data you want, so add venue_id

in addition to user_id

.

So, you need to compare the venue_id

one given in the url of your request against the one given in the token. And it's easy to do as you can access the place id in your url as request.view_args['venue_id']

.

So, assuming you followed the design in my tutorial, you now have a method User.verify_auth_token(token)

that decodes the token and validates it. You can add an argument to this method, which is venue_id

, and include this validation in the logic of that method.

Then, in your callback, verify_password

you can do something like this:



@auth.verify_password
def verify_password(token, password):
    user = User.verify_auth_token(token, request.view_args.get('venue_id', 0))
    if not user:
        return False
    g.user = user
    return True

Note that I chose the default 0 for the case of a request that does not contain an argument venue_id

. It's just to avoid a crash. In your checkout function, you can accept venue_id

0, which means this request works for all locations, so in this case you are missing the check in place.

Hope this helps!

+1


source






More articles:


All Articles