I am basically writing an API in Python, using Flask, and I would like to restrict access to its endpoints so that only an entity, namely an Arduino, can have GET and POST access. How should I make this possible and what should I be looking for?
You can assign a secret key (i.e. a password) to each client of this API, and then require that this key is provided by the client with all requests sent to the server.
So you start by assigning a key to your Arduino client, but you can also give a different key to your own testing client, and any other development clients you may need.
The secret key can be passed as HTTP Basic Authentication with every request.
Configure your WSGI container or its associated web server to only allow access to the Flask application from the IP address assigned to the Arduino's network interface.
Related
I've built a web application which uses spotify api and it uses client id and client secret which is present in main.py i.e on the backend side of my application to fetch data regarding songs. Now I want to deploy the app on heroku and want to know whether it will be safe to deploy it like this or should I move client id and secret somewhere else.
Don't include the client id and the cilent secret into the code. Just add there a comment and the user can just add his own secrets.
You can do few things here:
Store your client_secret within an environment variable source
Use some kind of secure storage to save it as Azure KeyVault an then retrieve it directly from your code
I am using client side sessions. The requirement is to redirect from 1 flask server which already have a user session data to another flask app on a different server and use the same client session information to make sure the user has already logged in if not send them back to the 1st server for authentication.
If possible i would like to keep using the client side sessions. If not any information regarding the alternative will be helpful.
Thank you
Normally there is 2 options.
First, client side authentication using token like JWT (Json Web Token), this approach authenticate every request using token included in header and no need additional server.
Second, server side approach with additional session store like Redis for multiple backends.
I am developing a client and a server in python. The client connects to the server and send requests for the server to perform specific tasks. In one of the tasks the server needs to connect to a ssh server using a private key. Is there any good way to store this private key? Should it be stored in the client or in the server? If stored in the client, what would be the safe way to send it to the server when needed? I don't really want to have the need to type a password in the client everytime.
Thanks.
I have a question about implementing passing data between two apps that I have running.
I have a Flask backend, which receives a user email via a POST request and stores it in a variable. I need to pass this variable into TelegramBotAPI.
What I need to happen is when Flask receives a new user email, it will pass the data into the TelegramBotAPI and trigger a function which will send it in a message to the user.
How do I go about implementing this?
Assuming your architecture separates the TelegramBot from the Flask server, you would treat your flask server as the client for your Telegram Bot which is the server in this scenario.
Armed with this information there are numerous ways to go about this. TelegramBot could provide an http server through which clients could send requests. Another option which requires less availability from the Bot but ensures eventual consistency is using a message broker like RabbitMQ.
Lastly, if you wish to store the email permanently you should consider using a storage like a Database (for robustness) or a File system (if you have only one server)
I cannot see how I could authenticate a server with vs GAE.
Let's say I have an application on GAE which have some data and I somehow need this data on another server.
It is easy to enable OAuth authentication on GAE but here I cannt use this since there is no "account" binded to my server.
Plus GAE doesn't support client certificate.
I could generate a token for each server that needs to access the GAE Application, and transfe them on the server. It would then use it to access the GAE Application by adding it in the URL (using HTTPS)...
Any other idea?
That is exactly what you need to do. On the server, generate a key (you choose the length), and store it in the datastore. When the other server makes a request, use HTTPS and include the key. Its like an API key (it is actually).