Added support for multiple authentication methods

miguelgrinberg · Mar 13, 2016 · 6c3f94d · 6c3f94d
1 parent 8b427b9
commit 6c3f94d
Show file tree

Hide file tree

Showing 2 changed files with 34 additions and 2 deletions.
diff --git a/docs/index.rst b/docs/index.rst
@@ -61,6 +61,8 @@ For the most degree of flexibility the `get_password` and `hash_password` callba
     def verify_pw(username, password):
         return call_custom_verify_function(username, password)
 
+In the examples directory you can find an example called `basic_auth.py` that shows how a `verify_password` callback can be used to securely work with hashed passwords.
+
 Digest authentication example
 -----------------------------
 
@@ -123,8 +125,8 @@ As an alternative to using server-side sessions, an application can implement it
 
 For information of what the ``nonce`` and ``opaque`` values are and how they are used in digest authentication, consult `RFC 2617 <http://tools.ietf.org/html/rfc2617#section-3.2.1>`_.
 
-Custom Authentication Scheme Example
-------------------------------------
+Token Authentication Scheme Example
+-----------------------------------
 
 The following example application uses a custom HTTP authentication scheme to protect route ``'/'`` with a token::
 
@@ -160,6 +162,15 @@ The ``HTTPTokenAuth`` is a generic authentication handler that can be used with
 
 The ``verify_token`` callback receives the authentication credentials provided by the client on the ``Authorization`` header. This can be a simple token, or can contain multiple arguments, which the function will have to parse and extract from the string.
 
+In the examples directory you can find a complete example that uses JWT tokens.
+
+Using Multiple Authentication Schemes
+-------------------------------------
+
+Applications sometimes need to support a combination of authentication methods. For example, a web application could be authenticating by sending client id and secret over basic authentication, while third party API clients use a JWT bearer token. The `MultiAuth` class allows you to protect a route with more than one authentication object. To grant access to the endpoint, one of the authentication methods must validate.
+
+In the examples directory you can find a complete example that uses basic and token authentication.
+
 Deployment Considerations
 -------------------------
 

diff --git a/flask_httpauth.py b/flask_httpauth.py
@@ -239,3 +239,24 @@ def authenticate(self, auth, stored_password):
         if self.verify_token_callback:
             return self.verify_token_callback(token)
         return False
+
+
+class MultiAuth(object):
+    def __init__(self, main_auth, *args):
+        self.main_auth = main_auth
+        self.additional_auth = args
+
+    def login_required(self, f):
+        @wraps(f)
+        def decorated(*args, **kwargs):
+            selected_auth = None
+            if 'Authorization' in request.headers:
+                scheme, creds = request.headers['Authorization'].split(None, 1)
+                for auth in self.additional_auth:
+                    if auth.scheme == scheme:
+                        selected_auth = auth
+                        break
+            if selected_auth is None:
+                selected_auth = self.main_auth
+            return selected_auth.login_required(f)()
+        return decorated