I am using client side sessions. The requirement is to redirect from 1 flask server which already have a user session data to another flask app on a different server and use the same client session information to make sure the user has already logged in if not send them back to the 1st server for authentication.
If possible i would like to keep using the client side sessions. If not any information regarding the alternative will be helpful.
Thank you
Normally there is 2 options.
First, client side authentication using token like JWT (Json Web Token), this approach authenticate every request using token included in header and no need additional server.
Second, server side approach with additional session store like Redis for multiple backends.
Related
I have a question about implementing passing data between two apps that I have running.
I have a Flask backend, which receives a user email via a POST request and stores it in a variable. I need to pass this variable into TelegramBotAPI.
What I need to happen is when Flask receives a new user email, it will pass the data into the TelegramBotAPI and trigger a function which will send it in a message to the user.
How do I go about implementing this?
Assuming your architecture separates the TelegramBot from the Flask server, you would treat your flask server as the client for your Telegram Bot which is the server in this scenario.
Armed with this information there are numerous ways to go about this. TelegramBot could provide an http server through which clients could send requests. Another option which requires less availability from the Bot but ensures eventual consistency is using a message broker like RabbitMQ.
Lastly, if you wish to store the email permanently you should consider using a storage like a Database (for robustness) or a File system (if you have only one server)
Hi I have our website running on appengine with flask as backend framework and we have built our authentication and session management using libraries Flask-OAuth, Flask-Login.
But now I have a requirement to use firebase for authentication.
I am able create sample applications following firebase tutorials but I do no how to integrate with existing application.
In Firenotes samples provided by firebase team they are using two separate services frontend and backend.
I thought of using firebase code in login.html page and once client authenticated pass the info to /profile url -> log the user_id in database and login-user using Flask-Login.
I am not sure whether the above flow is correct and I am not to ensure that it is correct one without any problems in future.
Please help with any ideas as I need to implement it very soon!!
Flask-Login uses session based authentication. Clients login using an authentication scheme. Since you are using Flask-OAuth, it's the oauth flow. If the user successfully authenticates, Flask-Login sends a response during the token exchange step setting an HTTP only cookie (meaning javascript can't access it) with a token unique to the user session. The client then authenticates future requests for the duration of the session with that token. The server can invalidate the session at any time, forcing the client to log in again.
Meanwhile, firebase authentication is JSON Web Token (JWT) authentication scheme. After completing the login flow, the firebase API retrieves a JWT from google's application servers.
To authenticate requests, you need to transmit that JWT on EVERY request. Your server MUST also validate the JWT to ensure that it is both valid and unexpired.
You'll note that the manner by which the JWT arrives at the server is unspecified by the firebase SDK and libraries. I recommend using a Authentication: JWT <google's jwt> header.
One way to resolve your question would be to use the JWT to complete the initial login flow, and then rely on session based auth from there. You'd set up a login endpoint that expects and validates a JWT, and responds with the set cookie header. From that point forward you continue using your flask-login provided session based auth.
Google actually has an example of this in their documentation: https://firebase.google.com/docs/auth/admin/manage-cookies
I cannot see how I could authenticate a server with vs GAE.
Let's say I have an application on GAE which have some data and I somehow need this data on another server.
It is easy to enable OAuth authentication on GAE but here I cannt use this since there is no "account" binded to my server.
Plus GAE doesn't support client certificate.
I could generate a token for each server that needs to access the GAE Application, and transfe them on the server. It would then use it to access the GAE Application by adding it in the URL (using HTTPS)...
Any other idea?
That is exactly what you need to do. On the server, generate a key (you choose the length), and store it in the datastore. When the other server makes a request, use HTTPS and include the key. Its like an API key (it is actually).
I have two development servers written with Python/Django - one API server(it's not solely an API server; it has UI and etc.), and another one is a demo app used to serve data by communicating to the API server. I invoke the demo app with iframe in the API server. After successfully getting response from the demo app, the original user session of the API server is lost(supposed to have two sessions -- one from the user of the API server, one from communication between the demo app and the API server).
Any idea what happened?
If you are running both on the same server, the session cookie might be overwritten since they both expect a sessionid cookie. If a sessionid doesn't exist a new one is generated, so when you access the outer app, you get a sessionid cookie, and that gets passed to the iframe app which doesn't recognize it and generates a new one. Try giving each app it's own unique SESSION_COOKIE_NAME
I would like to write a WSGI middleware that will work with my flask application. Any examples on how I can do that ? I found one on their documentation, but it says that it is not the preferred way to do it, so wondering what is ?
I would like to write a function which encrypts the session information and sends it as a cookie on response. On request it decrypts the cookie, and passes it forward as a hash. Basically client side session management as an encrypted cookie.
Em.. have you read the Flask or Werkzeug docs? Flask allows passing cryptographycally signed session data via cookies. If you want some secure cookie-based session management of your own, check the SecureCookieSessionInterface.