dusktreader / flask-praetorian Goto Github PK

View Code? Open in Web Editor NEW

340.0 15.0 46.0 3.34 MB

Strong, Simple, and Precise security for Flask APIs (using jwt)

Home Page: http://flask-praetorian.readthedocs.io/en/latest/

License: MIT License

Python 92.21% HTML 7.79%

flask-praetorian's Introduction

flask-praetorian

Strong, Simple, and Precise security for Flask APIs

API security should be strong, simple, and precise like a Roman Legionary. This package aims to provide that. Using JWT tokens as implemented by PyJWT, flask_praetorian uses a very simple interface to make sure that the users accessing your API's endpoints are provisioned with the correct roles for access.

This project was heavily influenced by Flask-Security, but intends to supply only essential functionality. Instead of trying to anticipate the needs of all users, flask-praetorian will provide a simple and secure mechanism to provide security for APIs specifically.

This extension offers a batteries-included approach to security for your API. For essential security concerns for Flask-based APIs, flask-praetorian should supply everything you need.

The flask-praetorian package can be used to:

Hash passwords for storing in your database
Verify plaintext passwords against the hashed, stored versions
Generate authorization tokens upon verification of passwords
Check requests to secured endpoints for authorized tokens
Supply expiration of tokens and mechanisms for refreshing them
Ensure that the users associated with tokens have necessary roles for access
Parse user information from request headers for use in client route handlers
Support inclusion of custom user claims in tokens
Register new users using email verification

All of this is provided in a very simple to configure and initialize flask extension. Though simple, the security provided by flask-praetorian is strong due to the usage of the proven security technology of JWT and python's PassLib package.

Super-quick Start

requirements: python versions 3.8+

install through pip: $ pip install flask-praetorian

minimal usage example: example/basic.py

Documentation

The complete documentation can be found at the flask-praetorian home page

flask-praetorian's People

Contributors

Stargazers

Watchers

flask-praetorian's Issues

Get document generation going

Create the necessary elements to get document generation working via Sphinx

Add current_user_id to init.py

Otherwise, you can't import current_user_id from flask_praetorian

Add checks for the jwt/praetorian required decorator in the roles_* decorators

The @roles_required and @roles_accepted decorators should do some error checking to make sure that the @jwt.jwt_required or @auth_required decorators have already been applied. If they have not, a sensible exception should be raised indicating that

Add documentation about the order of decorators

In both the decorator docstring, call out the necessary order of the decorators. Make sure it has an example as well

FileNotFoundError: [Errno 2] No such file or directory: '.project_metadata.json'

After executing pip install:

File "/tmp/pip-build-79fz6d8x/flask-praetorian/setup.py", line 7, in
with open('.project_metadata.json') as meta_file:
FileNotFoundError: [Errno 2] No such file or directory: '.project_metadata.json'

Add tests for a few of the non-plaintext hash methods

To make the testing more robust, include a few integration tests that verify behavior with some non-plaintext hashing methods

update long_description for pypi

pypi no longer uses the README by default. Fix that up

Let jwt be passed in as a parameter to init_app

So that a user supplied jwt instance can be used as an alternative to Praetorian's own instance

Fix flake8 error

$ flake8 tests
tests/conftest.py:27:9: E722 do not use bare except'

Add error handling to init_app

The init_app method of the Praetorian class should have some good, robust error handling

Revise exceptions to derive from flask-buzz

Allow client code to override status codes for exceptions

The jsonify method of the exceptions currently uses the exception's default status code. We should allow the client code to override this

Figure out how to register /auth endpoint with swagger

Figure out what needs to be done so that the /auth endpoint inherited from flask_jwt is available to swagger for projects that use it to automatically document their api. Make sure that the swagger documentation includes some good explanation of how the endpoint works

Rearrange docs a little bit

Make the link from README to the document pages more samless
Drop the links to the raw sphinx docs
Update badges in README
Fix conf.py inclusion of base package
Fixup setup.py while at it
Add classifiers to setup.py

Use buzz-lightyear for exception base

Trim down PraetorianError accordingly. add dependencies in setup.py

Switch back to bcrpyt as the default

Turns out that argon2 has a dependency in Ubuntu for libffi-dev. Installing via pip will not resolve this dependency.

Try adding cffi as an explicit install requirement or some of the other approaches mentioned here:
Kozea/cairocffi#14

If there is not a solution that resolves all dependencies without having to install anything but python and pip on the system, switch the default back to bcrypt

Change default password hashing scheme to pbfdk2_sha512

the bcrypt dependency (and default setting) causes some issue on systems where there are issues installing cffi.

by switching to sha512, we can eliminate that dependency problem

get flask-praetorian up on pypi

Add pypi install instructions to docs

Make a new exception to raise when a user lacks sufficient role

InvalidUserError's status_code should be 403

Add override expiration arguments for pack_header_for_user

Update README

Add build-status image
Replace 'included' text with...sigh...copy

Further improve user validation

Update documentation for internal support for jwt

Make sure the documentation doesn't talk about flask-jwt or flask-jwt-extended.

Also, make sure that it's removed from the requirements

format license as restructuredtext

follow this template:

The MIT License (MIT)
=====================

Copyright © `<year>` `<copyright holders>`

<license text>

Describe requirements for user_class in the documentation

There should be a brief description of the required properties and attributes of the user class in the README

Also update the README example to show requirements for lookup and identify

Expand the quickstart documentation a bit

Perhaps a bit more description of things and better examples

Add lots of function and class documentation

Lots of docstrings need to be added. Docstrings should only be added when the behavior of the function and or class is not completely self-explanatory

move jwt library to flask-jwt-extended

See if flask-jwt-extended can be a drop-in replacement for flask-jwt

https://github.com/vimalloc/flask-jwt-extended

Document that praetorian uses pendulum.utcnow

This issue requested by dev.

Add flask-praetorian to curated lists of python/flask pacakges

Fix issue with eternal tokens and setting the JWT_*_LIFESPAN variables

Eternal tokens don't work because the value of the max interval is too great to add to the current time. So just use a very large interval instead of the maximum one.

Also, there isn't an easy way to parse a string to an Interval. So, instead of having the JWT_*_LIFESPAN variables expect to be an Interval, instead make them a dict that can be used to create an interval

Create a new exception for missing users

The code that identifies the user based on id should raise a custom exception when the user cannot be found

Add in continuous-integration for pull-requests

Speed up the tests

Allow provisioning of tokens without an expiration

It should be possible to provision tokens that never expire. It should be possible also to have a token's refresh window never expire.

Allow pack_header_for_user to be used outside of tests

Add argon2 support

When passlib1.7 is released, add argon2 support so that it may be used as the encryption scheme. It should also become the default at that point.

Add github links to the docs

Add a tutorial or expand the example section

The tutorial/example needs to cover:

refreshing a token
error handling
blacklisting

fix warnings

When running the test suite, the following warnings come up:

  pytest-capturelog plugin has been merged into the core, please remove it from your requirements.

tests/test_base.py::TestPraetorian::()::test_encrypt_password
  /Users/tbeck/.virtualenvs/praetorian/lib/python3.6/site-packages/flask_sqlalchemy/__init__.py:794: FSADeprecationWarning: SQLALCHEMY_TRACK_MODIFICATIONS adds significant overhead and will be disabled by default in the future.  Set it to True or False to suppress this warning.
    'SQLALCHEMY_TRACK_MODIFICATIONS adds significant overhead and '

tests/test_base.py::TestPraetorian::()::test_validate_jwt_data
  /Users/tbeck/.virtualenvs/praetorian/lib/python3.6/site-packages/pendulum/pendulum.py:2064: PendulumDeprecationWarning: The subtract_timedelta() method will be removed in version 2.0.
    return self.subtract_timedelta(other)
  /Users/tbeck/.virtualenvs/praetorian/lib/python3.6/site-packages/pendulum/pendulum.py:2081: PendulumDeprecationWarning: The add_timedelta() method will be removed in version 2.0.
    return self.add_timedelta(other)
  /Users/tbeck/.virtualenvs/praetorian/lib/python3.6/site-packages/pendulum/pendulum.py:2064: PendulumDeprecationWarning: The subtract_timedelta() method will be removed in version 2.0.
    return self.subtract_timedelta(other)
  /Users/tbeck/.virtualenvs/praetorian/lib/python3.6/site-packages/pendulum/pendulum.py:2081: PendulumDeprecationWarning: The add_timedelta() method will be removed in version 2.0.
    return self.add_timedelta(other)
  /Users/tbeck/.virtualenvs/praetorian/lib/python3.6/site-packages/pendulum/pendulum.py:2064: PendulumDeprecationWarning: The subtract_timedelta() method will be removed in version 2.0.
    return self.subtract_timedelta(other)
  /Users/tbeck/.virtualenvs/praetorian/lib/python3.6/site-packages/pendulum/pendulum.py:2081: PendulumDeprecationWarning: The add_timedelta() method will be removed in version 2.0.
    return self.add_timedelta(other)
  /Users/tbeck/.virtualenvs/praetorian/lib/python3.6/site-packages/pendulum/pendulum.py:2064: PendulumDeprecationWarning: The subtract_timedelta() method will be removed in version 2.0.
    return self.subtract_timedelta(other)
  /Users/tbeck/.virtualenvs/praetorian/lib/python3.6/site-packages/pendulum/pendulum.py:2081: PendulumDeprecationWarning: The add_timedelta() method will be removed in version 2.0.
    return self.add_timedelta(other)
  /Users/tbeck/.virtualenvs/praetorian/lib/python3.6/site-packages/pendulum/pendulum.py:2064: PendulumDeprecationWarning: The subtract_timedelta() method will be removed in version 2.0.
    return self.subtract_timedelta(other)
  /Users/tbeck/.virtualenvs/praetorian/lib/python3.6/site-packages/pendulum/pendulum.py:2081: PendulumDeprecationWarning: The add_timedelta() method will be removed in version 2.0.
    return self.add_timedelta(other)

tests/test_base.py::TestPraetorian::()::test_encode_jwt_token
  /Users/tbeck/.virtualenvs/praetorian/lib/python3.6/site-packages/pendulum/pendulum.py:2064: PendulumDeprecationWarning: The subtract_timedelta() method will be removed in version 2.0.
    return self.subtract_timedelta(other)
  /Users/tbeck/.virtualenvs/praetorian/lib/python3.6/site-packages/pendulum/pendulum.py:2081: PendulumDeprecationWarning: The add_timedelta() method will be removed in version 2.0.
    return self.add_timedelta(other)
  /Users/tbeck/.virtualenvs/praetorian/lib/python3.6/site-packages/pendulum/pendulum.py:2064: PendulumDeprecationWarning: The subtract_timedelta() method will be removed in version 2.0.
    return self.subtract_timedelta(other)
  /Users/tbeck/.virtualenvs/praetorian/lib/python3.6/site-packages/pendulum/pendulum.py:2081: PendulumDeprecationWarning: The add_timedelta() method will be removed in version 2.0.
    return self.add_timedelta(other)
  /Users/tbeck/.virtualenvs/praetorian/lib/python3.6/site-packages/pendulum/pendulum.py:2064: PendulumDeprecationWarning: The subtract_timedelta() method will be removed in version 2.0.
    return self.subtract_timedelta(other)
  /Users/tbeck/.virtualenvs/praetorian/lib/python3.6/site-packages/pendulum/pendulum.py:2081: PendulumDeprecationWarning: The add_timedelta() method will be removed in version 2.0.
    return self.add_timedelta(other)
  /Users/tbeck/.virtualenvs/praetorian/lib/python3.6/site-packages/pendulum/pendulum.py:2081: PendulumDeprecationWarning: The add_timedelta() method will be removed in version 2.0.
    return self.add_timedelta(other)

tests/test_base.py::TestPraetorian::()::test_encode_eternal_jwt_token
  /Users/tbeck/.virtualenvs/praetorian/lib/python3.6/site-packages/pendulum/pendulum.py:2064: PendulumDeprecationWarning: The subtract_timedelta() method will be removed in version 2.0.
    return self.subtract_timedelta(other)
  /Users/tbeck/.virtualenvs/praetorian/lib/python3.6/site-packages/pendulum/pendulum.py:2081: PendulumDeprecationWarning: The add_timedelta() method will be removed in version 2.0.
    return self.add_timedelta(other)

tests/test_base.py::TestPraetorian::()::test_refresh_jwt_token
  /Users/tbeck/.virtualenvs/praetorian/lib/python3.6/site-packages/pendulum/pendulum.py:2064: PendulumDeprecationWarning: The subtract_timedelta() method will be removed in version 2.0.
    return self.subtract_timedelta(other)
  /Users/tbeck/.virtualenvs/praetorian/lib/python3.6/site-packages/pendulum/pendulum.py:2081: PendulumDeprecationWarning: The add_timedelta() method will be removed in version 2.0.
    return self.add_timedelta(other)
  /Users/tbeck/.virtualenvs/praetorian/lib/python3.6/site-packages/pendulum/pendulum.py:2081: PendulumDeprecationWarning: The add_timedelta() method will be removed in version 2.0.
    return self.add_timedelta(other)
  /Users/tbeck/.virtualenvs/praetorian/lib/python3.6/site-packages/pendulum/pendulum.py:2064: PendulumDeprecationWarning: The subtract_timedelta() method will be removed in version 2.0.
    return self.subtract_timedelta(other)
  /Users/tbeck/.virtualenvs/praetorian/lib/python3.6/site-packages/pendulum/pendulum.py:2081: PendulumDeprecationWarning: The add_timedelta() method will be removed in version 2.0.
    return self.add_timedelta(other)
  /Users/tbeck/.virtualenvs/praetorian/lib/python3.6/site-packages/pendulum/pendulum.py:2064: PendulumDeprecationWarning: The subtract_timedelta() method will be removed in version 2.0.
    return self.subtract_timedelta(other)
  /Users/tbeck/.virtualenvs/praetorian/lib/python3.6/site-packages/pendulum/pendulum.py:2081: PendulumDeprecationWarning: The add_timedelta() method will be removed in version 2.0.
    return self.add_timedelta(other)
  /Users/tbeck/.virtualenvs/praetorian/lib/python3.6/site-packages/pendulum/pendulum.py:2081: PendulumDeprecationWarning: The add_timedelta() method will be removed in version 2.0.
    return self.add_timedelta(other)
  /Users/tbeck/.virtualenvs/praetorian/lib/python3.6/site-packages/pendulum/pendulum.py:2064: PendulumDeprecationWarning: The subtract_timedelta() method will be removed in version 2.0.
    return self.subtract_timedelta(other)
  /Users/tbeck/.virtualenvs/praetorian/lib/python3.6/site-packages/pendulum/pendulum.py:2081: PendulumDeprecationWarning: The add_timedelta() method will be removed in version 2.0.
    return self.add_timedelta(other)
  /Users/tbeck/.virtualenvs/praetorian/lib/python3.6/site-packages/pendulum/pendulum.py:2064: PendulumDeprecationWarning: The subtract_timedelta() method will be removed in version 2.0.
    return self.subtract_timedelta(other)
  /Users/tbeck/.virtualenvs/praetorian/lib/python3.6/site-packages/pendulum/pendulum.py:2081: PendulumDeprecationWarning: The add_timedelta() method will be removed in version 2.0.
    return self.add_timedelta(other)
  /Users/tbeck/.virtualenvs/praetorian/lib/python3.6/site-packages/pendulum/pendulum.py:2081: PendulumDeprecationWarning: The add_timedelta() method will be removed in version 2.0.
    return self.add_timedelta(other)
  /Users/tbeck/.virtualenvs/praetorian/lib/python3.6/site-packages/pendulum/pendulum.py:2064: PendulumDeprecationWarning: The subtract_timedelta() method will be removed in version 2.0.
    return self.subtract_timedelta(other)
  /Users/tbeck/.virtualenvs/praetorian/lib/python3.6/site-packages/pendulum/pendulum.py:2081: PendulumDeprecationWarning: The add_timedelta() method will be removed in version 2.0.
    return self.add_timedelta(other)
  /Users/tbeck/.virtualenvs/praetorian/lib/python3.6/site-packages/pendulum/pendulum.py:2064: PendulumDeprecationWarning: The subtract_timedelta() method will be removed in version 2.0.
    return self.subtract_timedelta(other)
  /Users/tbeck/.virtualenvs/praetorian/lib/python3.6/site-packages/pendulum/pendulum.py:2081: PendulumDeprecationWarning: The add_timedelta() method will be removed in version 2.0.
    return self.add_timedelta(other)
  /Users/tbeck/.virtualenvs/praetorian/lib/python3.6/site-packages/pendulum/pendulum.py:2081: PendulumDeprecationWarning: The add_timedelta() method will be removed in version 2.0.
    return self.add_timedelta(other)
  /Users/tbeck/.virtualenvs/praetorian/lib/python3.6/site-packages/pendulum/pendulum.py:2064: PendulumDeprecationWarning: The subtract_timedelta() method will be removed in version 2.0.
    return self.subtract_timedelta(other)
  /Users/tbeck/.virtualenvs/praetorian/lib/python3.6/site-packages/pendulum/pendulum.py:2081: PendulumDeprecationWarning: The add_timedelta() method will be removed in version 2.0.
    return self.add_timedelta(other)
  /Users/tbeck/.virtualenvs/praetorian/lib/python3.6/site-packages/pendulum/pendulum.py:2081: PendulumDeprecationWarning: The add_timedelta() method will be removed in version 2.0.
    return self.add_timedelta(other)
  /Users/tbeck/.virtualenvs/praetorian/lib/python3.6/site-packages/pendulum/pendulum.py:2064: PendulumDeprecationWarning: The subtract_timedelta() method will be removed in version 2.0.
    return self.subtract_timedelta(other)
  /Users/tbeck/.virtualenvs/praetorian/lib/python3.6/site-packages/pendulum/pendulum.py:2081: PendulumDeprecationWarning: The add_timedelta() method will be removed in version 2.0.
    return self.add_timedelta(other)
  /Users/tbeck/.virtualenvs/praetorian/lib/python3.6/site-packages/pendulum/pendulum.py:2064: PendulumDeprecationWarning: The subtract_timedelta() method will be removed in version 2.0.
    return self.subtract_timedelta(other)
  /Users/tbeck/.virtualenvs/praetorian/lib/python3.6/site-packages/pendulum/pendulum.py:2081: PendulumDeprecationWarning: The add_timedelta() method will be removed in version 2.0.
    return self.add_timedelta(other)
  /Users/tbeck/.virtualenvs/praetorian/lib/python3.6/site-packages/pendulum/pendulum.py:2081: PendulumDeprecationWarning: The add_timedelta() method will be removed in version 2.0.
    return self.add_timedelta(other)
  /Users/tbeck/.virtualenvs/praetorian/lib/python3.6/site-packages/pendulum/pendulum.py:2064: PendulumDeprecationWarning: The subtract_timedelta() method will be removed in version 2.0.
    return self.subtract_timedelta(other)
  /Users/tbeck/.virtualenvs/praetorian/lib/python3.6/site-packages/pendulum/pendulum.py:2081: PendulumDeprecationWarning: The add_timedelta() method will be removed in version 2.0.
    return self.add_timedelta(other)

tests/test_base.py::TestPraetorian::()::test_read_token_from_header
  /Users/tbeck/.virtualenvs/praetorian/lib/python3.6/site-packages/pendulum/pendulum.py:2064: PendulumDeprecationWarning: The subtract_timedelta() method will be removed in version 2.0.
    return self.subtract_timedelta(other)
  /Users/tbeck/.virtualenvs/praetorian/lib/python3.6/site-packages/pendulum/pendulum.py:2081: PendulumDeprecationWarning: The add_timedelta() method will be removed in version 2.0.
    return self.add_timedelta(other)

tests/test_base.py::TestPraetorian::()::test_pack_header_for_user
  /Users/tbeck/.virtualenvs/praetorian/lib/python3.6/site-packages/pendulum/pendulum.py:2064: PendulumDeprecationWarning: The subtract_timedelta() method will be removed in version 2.0.
    return self.subtract_timedelta(other)
  /Users/tbeck/.virtualenvs/praetorian/lib/python3.6/site-packages/pendulum/pendulum.py:2081: PendulumDeprecationWarning: The add_timedelta() method will be removed in version 2.0.
    return self.add_timedelta(other)
  /Users/tbeck/.virtualenvs/praetorian/lib/python3.6/site-packages/pendulum/pendulum.py:2064: PendulumDeprecationWarning: The subtract_timedelta() method will be removed in version 2.0.
    return self.subtract_timedelta(other)
  /Users/tbeck/.virtualenvs/praetorian/lib/python3.6/site-packages/pendulum/pendulum.py:2081: PendulumDeprecationWarning: The add_timedelta() method will be removed in version 2.0.
    return self.add_timedelta(other)

tests/test_decorators.py::TestPraetorianDecorators::()::test_auth_required
  /Users/tbeck/.virtualenvs/praetorian/lib/python3.6/site-packages/pendulum/pendulum.py:2064: PendulumDeprecationWarning: The subtract_timedelta() method will be removed in version 2.0.
    return self.subtract_timedelta(other)
  /Users/tbeck/.virtualenvs/praetorian/lib/python3.6/site-packages/pendulum/pendulum.py:2081: PendulumDeprecationWarning: The add_timedelta() method will be removed in version 2.0.
    return self.add_timedelta(other)
  /Users/tbeck/work/flask-praetorian/tests/test_decorators.py:77: PendulumDeprecationWarning: The add_timedelta() method will be removed in version 2.0.
    default_guard.access_lifespan
  /Users/tbeck/.virtualenvs/praetorian/lib/python3.6/site-packages/pendulum/pendulum.py:2064: PendulumDeprecationWarning: The subtract_timedelta() method will be removed in version 2.0.
    return self.subtract_timedelta(other)
  /Users/tbeck/.virtualenvs/praetorian/lib/python3.6/site-packages/pendulum/pendulum.py:2081: PendulumDeprecationWarning: The add_timedelta() method will be removed in version 2.0.
    return self.add_timedelta(other)
  /Users/tbeck/.virtualenvs/praetorian/lib/python3.6/site-packages/pendulum/pendulum.py:2064: PendulumDeprecationWarning: The subtract_timedelta() method will be removed in version 2.0.
    return self.subtract_timedelta(other)
  /Users/tbeck/.virtualenvs/praetorian/lib/python3.6/site-packages/pendulum/pendulum.py:2081: PendulumDeprecationWarning: The add_timedelta() method will be removed in version 2.0.
    return self.add_timedelta(other)

tests/test_decorators.py::TestPraetorianDecorators::()::test_roles_required
  /Users/tbeck/.virtualenvs/praetorian/lib/python3.6/site-packages/pendulum/pendulum.py:2081: PendulumDeprecationWarning: The add_timedelta() method will be removed in version 2.0.
    return self.add_timedelta(other)

tests/test_decorators.py::TestPraetorianDecorators::()::test_roles_accepted
  /Users/tbeck/.virtualenvs/praetorian/lib/python3.6/site-packages/pendulum/pendulum.py:2081: PendulumDeprecationWarning: The add_timedelta() method will be removed in version 2.0.
    return self.add_timedelta(other)

-- Docs: http://doc.pytest.org/en/latest/warnings.html

should deploy only on the latest version of python build
should do builds for python 3.5, 3.6, 3.7

Quickstart Typo

Hello, I'm going through the quickstart guide for the first time to give flask-praetorian a try. In the quickstart,

POST /auth HTTP/1.1
Host: localhost:5000
Content-Type: application/json
{
    "username": "TheDude",
    "password": "abides"
}

should be

POST /login

for the current example as it does not have /auth endpoint. The docs should also reflect that.

Recommend Projects

React

A declarative, efficient, and flexible JavaScript library for building user interfaces.
Vue.js

🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript

TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
TensorFlow

An Open Source Machine Learning Framework for Everyone
Django

The Web framework for perfectionists with deadlines.
Laravel

A PHP framework for web artisans
D3

Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

javascript

JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
web

Some thing interesting about web. New door for the world.
server

A server is a program made to process requests and deliver data to clients.
Machine learning

Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Visualization

Some thing interesting about visualization, use data art
Game

Some thing interesting about game, make everyone happy.

Recommend Org

Facebook

We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft

Open source projects and samples from Microsoft.
Google

Google ❤️ Open Source for everyone.
Alibaba

Alibaba Open Source for everyone
D3

Data-Driven Documents codes.
Tencent

China tencent open source team.