Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Adding HTTP Basic Auth to all calls #44

Closed
sylvinus opened this issue Jan 3, 2013 · 3 comments
Closed

Adding HTTP Basic Auth to all calls #44

sylvinus opened this issue Jan 3, 2013 · 3 comments

Comments

@sylvinus
Copy link

sylvinus commented Jan 3, 2013

If I want to expose Flower on the web and don't want to use OAuth to log in, I think there's currently no solution.

Here is a rough patch I made to urls.py to add HTTP Basic Auth on all requests. It sure needs more work to connect it to the config system for instance but I guess you could use it as a base for adding support:

35a36,37
> import functools
> import base64
37c39
< handlers = [

---
> _handlers = [
84a87,147
> 
> """
>     This patch adds mandatory HTTP Basic Auth to all requests, except websockets
> """
> 
> # http://kelleyk.com/post/7362319243/easy-basic-http-authentication-with-tornado
> def require_basic_auth(handler_class, auth):
> 
>     def _request_auth(handler):
>         if hasattr(handler, "ws_connection"):
>             return True  # TODO, basic auth not supported in websockets
> 
>         handler.set_header('WWW-Authenticate', 'Basic realm=Flower')
>         handler.set_status(401)
>         handler._transforms = []
>         handler.finish()
>         return False
> 
>     def wrap_execute(handler_execute):
>         def require_basic_auth(handler):
>             auth_header = handler.request.headers.get('Authorization')
>             if auth_header is None or not auth_header.startswith('Basic '):
>                 return _request_auth(handler)
> 
>             auth_decoded = base64.decodestring(auth_header[6:])
> 
>             username, password = auth_decoded.split(':', 2)
> 
>             if (auth(username, password)):
>                 return True
>             else:
>                 return _request_auth(handler)
>             
>         def _execute(self, transforms, *args, **kwargs):
>             if not require_basic_auth(self):
>                 return False
>             return handler_execute(self, transforms, *args, **kwargs)
>         return _execute
> 
>     handler_class._execute = wrap_execute(handler_class._execute)
>     return handler_class
> 
> 
> def oxauth(username, password):
>     return "%s:%s" % (username, password) == config.config["FLOWER_AUTH"]
> 
> 
> # Force-add httpauth to each handler
> handlers = []
> for h in _handlers:
>     if len(h) > 2:
>         handlers.append((h[0], require_basic_auth(h[1], oxauth), h[2]))
>     else:
>         handlers.append((h[0], require_basic_auth(h[1], oxauth)))
@sylvinus
Copy link
Author

sylvinus commented Jan 3, 2013

By the way, HTTP Auth support has been added to the -13 draft for WebSockets, but still not supported by most browsers (http://code.google.com/p/chromium/issues/detail?id=47069) or Tornado AFAIK

mher added a commit that referenced this issue Apr 11, 2013
@mher
Implements HTTP Basic Auth support #44
d48290e
@mher
Copy link
Owner

mher commented Apr 12, 2013

HTTP Basic Auth support is ready. Please try the master.

@mher mher closed this as completed Apr 12, 2013
@NotSqrt
Copy link
Contributor

NotSqrt commented Oct 8, 2013

For angry people like me, in addition to the comment of sylvinus, it works with Firefox (24.0 on my computer), but not with chromium or chrome (30.0).. but it's not something that Flower can circumvent..

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@sylvinus @mher @NotSqrt