How to skip the httpauth

[leon0707]

Suppose that I have logged in Flasky, and want to get resources via API. How do I use api without typing in username and password again? Can I use current_user.is_authenticated() to do it?

@api.before_request
@auth.login_required
def before_request():
    if not g.current_user.is_anonymous and \
        not g.current_user.confirmed:
    return forbidden('Unconfirmed account')

[miguelgrinberg]

Yes, you could do that, just remove the Flask-HTTPAuth code and use Flask-Login's current_user to identity the user.

But the problem with your proposed design is that the API would not stand on its own, it would be dependent on having the user logged in to the web application. Any usage of the API outside of the web application would break. Writing APIs this way goes against one of the REST architecture principles, which requires APIs to be stateless.

[leon0707]

Thank you Miguel, You are right, and I don't want to remove HTTPAuth either. What I'm trying to do is making the logged user get validated without type in username and password in the dialog, and the users who have not logged in still need to verify password.

[miguelgrinberg]

@Alex1007 you could generate an API token each time the user requests a page (assuming Flask-Login validates him/her successfully). The token could be written to the page as Javascript code. Then if the client side app in the page needs to make a call, it has the token readily available.

I think this solution is nice because it keeps the API pure, but provides a simplified workflow for the web application.