Develop Reference

"description": "Invalid credentials" in POSTMAN using flask_jwt

I am trying to authenticate and get an access token. I have created user class, I am trying to run the POST method from POSTMAN while authenticating, but I am receiving some error:
{
"description": "Invalid credentials",
"error": "Bad Request",
"status_code": 401
}
and I couldn't find any solution.
Code for app.py
from flask import Flask, request
from flask_restful import Resource, Api
from flask_jwt import JWT, jwt_required
from security import authenticate, identity
# creating flask app
app = Flask(__name__)
app.secret_key = 'vishwas'
api = Api(app)
jwt = JWT(app, authenticate, identity) # /auth
# empty list of items
items = []
class Item(Resource):
#jwt_required()
def get(self,name):
# next return first value that found by the filter function
# next(filter(), None) -> 'None' to handle the eroor if the list is empty
item = next(filter(lambda x: x['name'] == name,items), None)
return {'item': item}, 200 if item else 404
# http://127.0.0.1.5000/item/<string:name>
api.add_resource(Item, '/item/<string:name>')
app.run(port=5000, debug=True)
Code for security.py
from werkzeug.security import safe_str_cmp
from user import User
# list of users
users = [
User(1,"bob","pass")
]
# users information using their username
username_mapping = {user.username: user for user in users}
# users information using their userid
userid_mapping = {user.id: user for user in users}
def authenticate(username,password):
user = userid_mapping.get(username, None)
if user and safe_str_cmp(user.password, password):
return user
def identity(payload):
user_id = payload['identity']
return userid_mapping.get(user_id, None)
Code for user.py
class User:
def __init__(self,_id,username,password):
self.id = _id
self.username = username
self.password = password
As you can see that I have implemented the code correctly but still I am getting this 'Invalid Credentials' or 'Bad Request' error.

if you look at what is stored in the data:
def authenticate(username, password):
print(username_mapping)
we will see:
{('bob',): <user.User object at 0x000002C7DC982B00>}
that is, the ('bob',) key, not bob
I myself only study potshon, so the decision to make only this
def authenticate(username, password):
user = username_mapping.get(('{}'.format(username),), None)
if user and safe_str_cmp(user.password, password):
return user
And you mistake there, instead username_mapping, you're using userid_mapping
And accordingly:
def identity(payload):
user_id = payload['identity']
return userid_mapping.get((user_id[0],), None)
I don’t know how much is correct, most likely it is necessary to bring the initial data to the correct type, but it works. Maybe someone will tell you how it is more correct.

Make sure to use username instead of name
"name": "mostafa",
"password": "pass"
}
should be this
"username": "mostafa",
"password": "pass"
}

Tornado login form unit test

I have the following Tornado 6.0.3 Web server:
import tornado.ioloop
import tornado.web
import json
class BaseHandler(tornado.web.RequestHandler):
def get_current_user(self):
return self.get_secure_cookie("user")
def set_current_user(self, user):
print('setting secure cookie', user)
self.set_secure_cookie("user", user)
class LoginHandler(BaseHandler):
def get(self):
self.render('login.html')
def post(self):
user = self.get_argument("user")
self.set_current_user(user)
self.redirect("/")
class IndexHandler(BaseHandler):
def get(self):
user = self.get_current_user()
print('getting current user in IndexHandler', self.get_current_user())
if user:
self.write('Hi, ' + user.decode('utf-8'))
else:
self.write("Hi, unknown. <a href='/login'>Login</a>")
class LogoutHandler(BaseHandler):
#tornado.web.authenticated
def get(self):
self.clear_cookie("user")
def make_app():
settings = {
"cookie_secret":"61oETzKXQAGaYdkL5gEmGeJJFuYh7EQnp2XdTP1o/Vo=",
"login_url":"/login",
"debug":False,
'xsrf_cookies': True,
}
return tornado.web.Application([
(r"/", IndexHandler),
(r"/login", LoginHandler),
(r"/logout", LogoutHandler),
], **settings)
if __name__ == "__main__":
application = make_app()
application.listen(8005)
print('sample_app server started')
tornado.ioloop.IOLoop.instance().start()
login.html is defined this way:
<form method='POST'>
user <input type='text' name='user' id='user'><br>
password <input type='text' name='password' id='password'><br>
<input type='submit' value='Valider'>
{% raw xsrf_form_html() %}
</form>
This application works correctly. When I go to the login page and type 'bla' for user and 'bla bla' for password, I get: 'Hi, bla' in the browser, and the trace is:
sample_app server started
getting current user in IndexHandler None
setting secure cookie bla
getting current user in IndexHandler b'bla'
Now, when I write the following test:
import unittest
from unittest import TestCase
from tornado.testing import AsyncHTTPTestCase
from sample_app import *
from urllib.parse import urlencode
class AppTestCase(AsyncHTTPTestCase):
def get_app(self):
self.app = make_app()
return self.app
def test_login(self):
p = {'user': 'bla', 'password': 'bla bla', '_xsrf': "dummy"}
response = self.fetch('/login', method='POST', body=urlencode(p), headers={"Cookie": "_xsrf=dummy"})
print("\n", response.body)
if __name__ == "__main__":
unittest.main()
I get for response: Hi, unknown. Login,
and the trace is:
setting secure cookie bla
getting current user in IndexHandler None
Why secure cookie is not correctly set in test mode ?

Tornado's default HTTP client doesn't support cookies (secure or not). You can set follow_redirects=False and see that the Set-Cookie header is set on the response from /login, but there's not currently a way to pass that cookie to the index handler automatically with the default client.
If you use the curl HTTP client instead, I think you can configure this to process cookies, but I haven't tried this myself and don't know how to configure it to do this.

Django using one time call function output as global value

While initializing the project, i want to call login function from projects settings for once and use the output token anywhere in project. I want to use same token whether I call again to check if token changed.
def login(creds):
r = requests.post(base_url + '/api/admin/login', json=creds, headers=headers, verify=False)
if r.status_code == 200:
token = r.json()['token']
return token
If i call function in project settings, function starts each time. I don't want to dump token to a file and read each time. Any other way? Thanks.

The best way would be to separate responsibilities for login, authentication and use of token. In practice you'd store token in session. Django provides full support for anonymous sessions, but this could limit your application in cases, when you'd like to store some data associated to that user in the local database.
What I recommend is to setup User model in the local database where you save usernames. Next you create a function for authentication:
import requests
def authentication(username, password):
creds = {'username': username, 'password': password}
headers = 'whatever'
r = requests.post(base_url + '/api/admin/login', json=creds, headers=headers, verify=False)
if r.status_code == 200:
token = r.json()['token']
# Create user in the local database if it does not exist yet
user, created = User.objects.get_or_create(username=username)
return token
else:
error = 'Something went wrong'
return error
Next you create login functionality.
from django.urls import reverse
from django.http import HttpResponseRedirect
from django.contrib.auth import login
from django.shortcuts import render
def login(request):
# Check if user is authenticated by call is_authenticated() and
# additionally check if token is stored in session
if request.user.is_authenticated and request.session.get('token', False):
return HttpResponseRedirect(reverse('user_page'))
if request.method == 'POST':
username = request.POST.get('username')
password = request.POST.get('password')
auth_data = authenticate(username=username, password=password)
if auth_data is not None:
# Save token in session
request.session['user_token'] = auth_data
# Get user and login
# Because you created a user in local database,
# you can login that user in this step
user = User.objects.get(username=username)
login(request, user)
next = request.POST.get('next', '/') if request.POST.get('next') else '/'
return HttpResponseRedirect(next)
else:
# Implement some error handling here
return HttpResponseRedirect(reverse('login'))
else:
return render(request, 'login.html', {})
The next logical step would be to control this users tokens somehow. Decorators come to rescue. You create a decorator that checks token. For example something in this sense:
import functools
from django.contrib.auth import REDIRECT_FIELD_NAME
from urllib.parse import urlparse
from django.shortcuts import resolve_url
from django.contrib.auth.views import redirect_to_login
def token_required(func, redirect_field_name=REDIRECT_FIELD_NAME, login_url=None):
#functools.wraps(func)
def decorated_function(request, *args, **kwargs):
# Check if token is saved in session
# Redirect to login page if not
if not request.session.get('token', False):
path = request.build_absolute_uri()
resolved_login_url = resolve_url(login_url or settings.LOGIN_URL)
# If the login url is the same scheme and net location then just
# use the path as the "next" url.
login_scheme, login_netloc = urlparse(resolved_login_url)[:2]
current_scheme, current_netloc = urlparse(path)[:2]
if ((not login_scheme or login_scheme == current_scheme) and
(not login_netloc or login_netloc == current_netloc)):
path = request.get_full_path()
return redirect_to_login(
path, resolved_login_url, redirect_field_name)
return func(request, *args, **kwargs)
return decorated_function
You'd need to implement your logic here. This decorator only check if token is stored in session, nothing else. You'd then use this decorator in views as in
from django.contrib.auth import logout
#token_required
#login_required
def user_logout(request):
logout(request)
return HttpResponseRedirect('/')

Django: ValidationError using is_authenticated and logout when authenticating from an external source

I am currently building a Django application that gets all its data from an external source (via HTTP). I therefore do not want to use my own database. I have already implemented my own user and remote user backend as per the solution stated in this SO question: Django users and authentication from external source. I am using signed cookies for storing sessions.
After implementing the above stated, I was able to login without any errors. However, on checking whether a user is authenticated in a template (or when trying to log him out in a view), I receive an error:
ValidationError at /products/
["'None' value must be an integer."]
at the line in the template
{% if user.is_authenticated %}
where request.user is passed as a template variable user in the corresponding view (I know I shouldn't do that, it's just temporary).
Here is some of the other relevant traceback:
/home/ines/.virtualenvs/diet/lib/python3.6/site-packages/django/contrib/auth/middleware.py in <lambda>
request.user = SimpleLazyObject(lambda: get_user(request))
...
/home/ines/.virtualenvs/diet/lib/python3.6/site-packages/django/contrib/auth/middleware.py in get_user
request._cached_user = auth.get_user(request)
...
/home/ines/.virtualenvs/diet/lib/python3.6/site-packages/django/contrib/auth/__init__.py in get_user
user_id = _get_user_session_key(request)
...
/home/ines/.virtualenvs/diet/lib/python3.6/site-packages/django/contrib/auth/__init__.py in _get_user_session_key
return get_user_model()._meta.pk.to_python(request.session[SESSION_KEY])
The error happens in the to_python() call, where the line 942 in file django/db/models/fields/__init__.py: return int(value) throws an Exception as it receives value='None'.
Let me now post all (hopefully) relevant code from my app.
settings.py
AUTHENTICATION_BACKENDS = ('products.backends.ApiAuthBackend',)
products/backends.py
from django.contrib.auth.backends import RemoteUserBackend
from products.api import API
from products.models import ApiUser
class ApiAuthBackend(RemoteUserBackend):
"""
Authenticate against the API.
"""
create_unknown_user = False # does not create a User object if it is not in the database
def authenticate(self, request, username=None, password=None):
api = API()
access_token = api.login(username=username, password=password)
if api.logged_in():
user = ApiUser()
user.username = username
request.session['access_token'] = access_token
return user
return None
def get_user(self, user_id):
return ApiUser(username=user_id)
products/models.py
from django.contrib.auth.models import AbstractUser
class ApiUser(AbstractUser):
def save(self, **kwargs):
"""
Disables saving to database.
"""
pass
objects = None
username = ''
first_name = ''
last_name = ''
email = ''
password = ''
groups = ''
user_permissions = ''
is_staff = False
is_active = True
is_superuser = False
last_login = None
date_joined = None
def get_group_permissions(self, obj=None):
return []
def get_all_permissions(self, obj=None):
return []
def has_perm(self, perm, obj=None):
return []
def has_perms(self, obj=None, **kwargs):
return []
def has_module_perms(self, app_label):
return []
Upon further inspection of the django/contrib/auth/__init__.py, line 154:
request.session[SESSION_KEY] = user._meta.pk.value_to_string(user)
The problem seems to be that the request.session[SESSION_KEY], where SESSION_KEY = '_auth_user_id', is set to 'None'. That's due to the fact that the ApiUser class does not have Fields for attributes anymore - I have overriden them in models.py since I am not using a database. Therefore my instances of ApiUser do not have a pk, and SESSION_KEY attribute is therefore set to 'None'. When Django wants to authenticate, the SESSION_KEY attribute of the session gets passed to the aforementioned to_python() function which in turn raises an Exception.
My question is, how do I fix this? I tried setting the user.pk to always be 1 and setting the session[SESSION_KEY] manually to 1 in the authenticate function in models.py, which has resulted in me not getting an exception but other data written to the session (access_token) has disappeared.
Thank you in advance for your time and answers, and I'm terribly sorry if there happens to be a solution to this somewhere already (I did search extensively but haven't been able to find it).
Update (as per request by Bear Brown):
Here is my code for API class, not sure it's really relevant as it's just used to communicate with the external database but anyway.
products/api.py
import requests
import json
class API:
URL = "[...]"
KEY = "[...]"
LOGIN = "authenticate/access-token"
REGISTER = "authenticate/register"
session = None
debug = True
def __init__(self, **kwargs):
if len(kwargs) > 2 or not kwargs:
return
try:
self.login(**kwargs)
except requests.exceptions.ConnectionError:
print("Could not connect to the database.")
except requests.exceptions.RequestException:
print("Could not retrieve data from the database.")
def login(self, **kwargs):
if self.session is not None:
return
assert 0 < len(kwargs) < 3
access_token = ''
if len(kwargs) == 2:
username, password = kwargs['username'], kwargs['password']
url = self.URL + self.LOGIN
user_data = {
'username': username,
'password': password,
'active-check': 0,
'api_key': self.KEY
}
r = requests.post(url, data=user_data)
r.raise_for_status()
response = r.json()
if response['success'] is True:
access_token = response['access_token']
else: # len(kwargs) == 1
access_token = kwargs['access_token']
if access_token:
self.session = requests.Session()
self.session.headers.update({'Authorization': 'Client-ID ' + access_token})
if self.debug: print("Successfully logged in.")
return access_token
def logout(self):
if self.session is None:
return
self.session.close()
self.session = None
def logged_in(self):
return self.session is not None
Here is a link to the full error traceback on pastebin (it seemed too be too long to add to an already long post):
full error traceback on pastebin.

flask-login user is set to anonymous after login

im new to flask and flask-login and ive been struggling with this for days.
Im trying to log a user in like this:
from creds import auth_username, auth_password, pgsql_dbuser, pgsql_dbpassword, pgsql_db1name
from flask import Flask, render_template, request, Response, redirect, url_for
from flask.ext.bcrypt import Bcrypt
from flask.ext.login import LoginManager, login_required, login_user, current_user, logout_user
import logging
import psycopg2
import uuid
import datetime
app = Flask(__name__)
app.secret_key = str(uuid.uuid4()) # <- required by login_manager.init_app(app)
bcrypt = Bcrypt(app)
login_manager = LoginManager()
login_manager.init_app(app)
login_manager.login_view = 'index'
#app.route('/', methods=['GET','POST'])
def index():
page_name = '/'
if request.method == 'POST':
email = request.form['email']
candidate_password = request.form['password']
user = finduserindbbyemail(email)
if user != None:
password_hash = checkuserpasswordindb(email)
if bcrypt.check_password_hash(password_hash, candidate_password):
user_object = User(user)
result = login_user(user_object) # <- here for successful login
return redirect(url_for('loggedin', user_object=type(user_object), user=user, result=result, current_user=current_user))
else:
user_object = User(user)
error_message = "The password you entered is incorrect"
return render_template('index.html', error_message=error_message)
else:
error_message = "The email address you entered does not match any we have in our records"
return render_template('index.html', error_message=error_message)
if request.method == 'GET':
return render_template('index.html')
I have a User class and a user callback:
class User():
def __init__(self, user):
self.user = user
def is_authenticated(self):
return True
def is_active(self):
return True
def is_anonymous(self):
return False
def get_id(self):
return unicode(self.user)
#login_manager.user_loader
def load_user(user):
con = psycopg2.connect(database=pgsql_db1name, user=pgsql_dbuser, password=pgsql_dbpassword, host='localhost')
uuid = "'"+user+"'"
cur = con.cursor()
cur.execute("SELECT uuid FROM users WHERE uuid = "+ uuid)
uuid = cur.fetchone()
con.close()
if uuid != None:
user = unicode(uuid[0])
return User.get_id(user)
else:
return None
After authentication is successful (apparently?), the user is redirected to a loggedin page which has a #login_required decorator. But instead of loading the loggedin page, the app redirects the user to the login page, telling me the user isnt being logged in?
If try to send values to the page and i remove the #login_required decorator so i can see the page, this is what i see in the browser after 'logging in':
current_user.is_authenticated() = False
current_user.is_active() = False
current_user.is_anonymous() = True
current_user.get_id() = None
user_object = <type 'instance'>
user = 2ca1296c-374d-43b4-bb7b-94b8c8fe7e44
login_user = True
current_user = <flask_login.AnonymousUserMixin object at 0x7f2aec80f190> Logout
It looks like my user hasn't been logged and is being treated as anonymous?
Can anyone see what I've done wrong? I'm having a lot of trouble understanding how this is supposed to work.

Another reason you might not be able to log a user in or current_user is Anonymous after going through your login form: The active=false flag is set on the user in the db. This behavior is confirmed in the docs:
flask_login.login_user(user, remember=False, duration=None, force=False, fresh=True)[source]
Logs a user in. You should pass the actual user object to this. If the user’s is_active property is False, they will not be logged in unless force is True.
This will return True if the log in attempt succeeds, and False if it fails (i.e. because the user is inactive).
So, when you call login_user, you can do this:
login_user(user, remember=form.remember_me.data, force=True), if you want to allow inactive users to log in.

So.. I managed to get it to work, but not using the user_loader callback. For whatever reason, my user loader exhibits the same behaviour as this:
Flask-login with static user always yielding 401- Unauthorized
Anyway, I used a request_loader callback instead based on this example:
http://gouthamanbalaraman.com/blog/minimal-flask-login-example.html
so for a user logging in, which starts here:
if bcrypt.check_password_hash(password_hash, candidate_password):
user_object = User(user, password_hash)
result = login_user(user_object) # <- here for successful login
token = user_object.get_auth_token(user, password_hash)
return redirect(url_for('loggedin', token=token))
I create a user object which has the user's id and their password hash.
then i log the user in. then i create a time-serialized token of the user id and password hash using itsdangerous. the get_auth_token function is part of the User class. it looks like this:
class User():
def __init__(self, user, password_hash):
self.user = user
self.password = password_hash
.
.
.
def get_auth_token(self, user, password):
data = [str(self.user), self.password]
return serializer.dumps(data, salt=serializer_secret)
you need to create a serializer at the beginning of your code somewhere:
serializer = URLSafeTimedSerializer(serializer_secret)
So after the token is created, pass it to the loggedin view as a URL query parameter.
When you try to load a login_required page, like my loggedin page, which is where login_user redirects me to after a successful login, the request_loader callback is executed. it looks like this:
#login_manager.request_loader
def load_user_from_request(request):
if request.args.get('token'):
token = request.args.get('token')
max_age = 1
try:
data = serializer.loads(token, salt=serializer_secret, max_age=max_age)
username = data[0]
password_hash = data[1]
found_user = finduserindbbyuuid(username)
found_password = checkuserpasswordindbbyuuid(username)
if found_user and found_password == password_hash:
user_object = User(found_user, password_hash)
if (user_object.password == password_hash):
return user_object
else:
return None
else:
return None
except BadSignature, e:
pass
else:
return None
This is the point where my user_loader was failing. I was logging in successfully, but the user_loader was always returning None and so my user would be deemed as anonymous.
So with the request loader, it checks that the request URL contains a 'token' argument in the query string. if so, it takes its value and using itsdangerous, deserializes the data.
you can make the token expire with timed serializers, but there are also non timed ones. after the token is deserialized, take the user and password hash and check in the database if they exist, in exactly the same way that the user_loader was supposed to work.. i imagine? my user_loader didnt work so i was most probably doing it wrong.
anyway if a user and password match in the db, then return the user object and bam, login works.
Im not sure if im doing it the right way, cos pretty much flying by the seat of my pants. i saw examples where people used the token_loader, rather than the request_loader callback function, to load the token, but i couldnt figure out how to set & get the auth token to & from the client. maybe ill figure it out... one day...
if you have the same problem, maybe this might help? or just let me know what you think
cheers

I found this page when searching for help with Flask-Login + Flask-Dance. I was seeing current_user as AnonymousUserMixin in a handler with the #login_required decorator. In my case making sure #app.route is on the line above #login_required fixed the problem. The correct order is in the docs: https://flask-login.readthedocs.io/en/latest/#flask_login.login_required.