New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
How to protect "hidden" endpoints/routes #107
Comments
I looked into Flask, this seems to work: # app may also be a blueprint (possibly?)
# endpoint should be known (from flask routes ...)
def auth_wrap_endpoint(app, endpoint, **kwargs):
view_func = app.view_functions.get(endpoint)
if view_func is not None:
view_func_authd = auth.login_required(**kwargs)(view_func)
app.view_functions[endpoint] = view_func_authd auth_wrap_endpoint(app, "flask-apispec.static", role="api-rw")
auth_wrap_endpoint(app, "flask-apispec.swagger-json", role="api-rw")
auth_wrap_endpoint(app, "flask-apispec.swagger-ui", role="api-rw") And I'm not sure about the decorator priority/order. Calling the |
@Querela What you did is a bit hacky, but should work. An alternative would be to add the decorator to a |
I know ... but it works really well so far. Just those possible other decorators are an unknown factor.
Well yes, but as far as I know, I can (a) only protect my whole Flask application or (b) a single blueprint? But the extension declares a blueprint itself and makes it not publicly available for other uses. Source excerpt in flask-apispec Update I found the I tried but failed with: def auth_wrap_blueprint(app, blueprint_name, **kwargs):
blueprint = app.blueprints[blueprint_name]
from flask import current_app
from flask import request
@blueprint.before_request
@auth.login_required(**kwargs)
def before_request_rw(): # pylint: disable=unused-variable
"""Protect blueprint routes"""
current_app.logger.debug(
"%s.before_request: [%s] %s",
blueprint_name,
request.method,
request.endpoint,
) auth_wrap_blueprint(app, "flask-apispec", role="api-rw") This is rather curious. The blueprint can be retrieved but the httpauth is not called ... (And using the same scheme I successfully protected my own blueprint. The only difference is that my own had the |
You seem to always resort to hacking the Flask internals to get what you need. :) What I was thinking was a custom decorator that uses |
Mhh ... Not healthy and stable.
Well. I could hook into the app handlers and then check. This seems easy. |
I really don't think I should be giving you advice on this type of solution based on hacking attributes of the Flask object, because I don't really believe in it. But all I'm going to say is that Flask-HTTPAuth's |
Mh. OK. |
How can I protect arbitrary routes in my webapp with HTTPAuth?
In particular, using flask-apispec (swagger) I just initialize the extension and optionally provide setting on what the routes are, e. g.:
Flask-HTTPAuth only provides decorators for me, so how can I protect those routes that are not declared by me? (Besides only enabling the apispec extension in Development/Testing environments.)
The text was updated successfully, but these errors were encountered: