Flask Authorization
What is authorization in Flask?
Authorization in Flask refers to controlling what authenticated users can and cannot do in the application. While authentication verifies the identity of the user, authorization determines whether the user has the necessary permissions to access certain resources or perform specific actions.
What is the difference between authentication and authorization?
Authentication confirms the identity of a user (i.e., "Who are you?"), typically through credentials like a username and password. Authorization determines what actions a user is allowed to perform or what resources they can access (i.e., "What can you do?"). Authentication happens before authorization, and both work together to ensure secure access to the system.
How do you implement role-based access control (RBAC) in Flask?
Role-Based Access Control (RBAC) allows you to assign roles to users and authorize access to resources based on their roles. This can be implemented by storing roles in the user model and checking the user's role before granting access to a route.
Example of role-based access control:
from flask import Flask, jsonify, request
from functools import wraps
app = Flask(__name__)
users = {
"admin": {"password": "adminpass", "role": "admin"},
"user": {"password": "userpass", "role": "user"}
}
def check_role(required_role):
def decorator(f):
@wraps(f)
def decorated_function(*args, **kwargs):
username = request.authorization['username']
user = users.get(username)
if user and user['role'] != required_role:
return jsonify({'message': 'Access denied!'}), 403
return f(*args, **kwargs)
return decorated_function
return decorator
@app.route('/admin', methods=['GET'])
@check_role('admin')
def admin_page():
return jsonify({'message': 'Welcome to the admin page!'})
@app.route('/user', methods=['GET'])
@check_role('user')
def user_page():
return jsonify({'message': 'Welcome to the user page!'})
if __name__ == '__main__':
app.run(debug=True)
In this example, a custom decorator check_role() checks the user's role before granting access to the /admin and /user routes. Only users with the correct role can access these routes.
How do you implement role-based access control using Flask-JWT-Extended?
With Flask-JWT-Extended, you can include roles in the JWT token payload and check the user's role when accessing protected routes. This allows you to control access based on the user's role.
Example of role-based access control with JWT:
from flask import Flask, jsonify
from flask_jwt_extended import JWTManager, create_access_token, jwt_required, get_jwt
app = Flask(__name__)
app.config['JWT_SECRET_KEY'] = 'super-secret'
jwt = JWTManager(app)
users = {
"admin": {"password": "adminpass", "role": "admin"},
"user": {"password": "userpass", "role": "user"}
}
@app.route('/login', methods=['POST'])
def login():
username = request.json.get('username')
password = request.json.get('password')
user = users.get(username)
if not user or user['password'] != password:
return jsonify({'message': 'Invalid credentials'}), 401
access_token = create_access_token(identity=username, additional_claims={'role': user['role']})
return jsonify(access_token=access_token), 200
@app.route('/admin', methods=['GET'])
@jwt_required()
def admin_page():
claims = get_jwt()
if claims['role'] != 'admin':
return jsonify({'message': 'Access denied'}), 403
return jsonify({'message': 'Welcome to the admin page!'})
if __name__ == '__main__':
app.run(debug=True)
In this example, the user's role is included in the JWT token. The /admin route checks the role from the token before granting access.
How do you implement permission-based authorization in Flask?
Permission-based authorization controls access to resources based on specific actions a user can perform. Unlike role-based access control, which is broad, permission-based access control focuses on granular control of individual actions.
Example of permission-based authorization:
permissions = {
'admin': ['create', 'read', 'update', 'delete'],
'editor': ['read', 'update'],
'viewer': ['read']
}
def check_permission(permission):
def decorator(f):
@wraps(f)
def decorated_function(*args, **kwargs):
username = request.authorization['username']
user_permissions = permissions.get(users[username]['role'], [])
if permission not in user_permissions:
return jsonify({'message': 'Permission denied!'}), 403
return f(*args, **kwargs)
return decorated_function
return decorator
@app.route('/create', methods=['POST'])
@check_permission('create')
def create_resource():
return jsonify({'message': 'Resource created'}), 201
@app.route('/read', methods=['GET'])
@check_permission('read')
def read_resource():
return jsonify({'message': 'Resource read'}), 200
In this example, the check_permission() decorator checks if the user has the required permission to access the route, such as creating or reading resources.
How do you handle access control with Flask-Principal?
Flask-Principal is an extension for Flask that provides a robust framework for managing user identities, roles, and permissions. It allows you to define roles and control access to routes based on those roles.
Example of access control with Flask-Principal:
from flask import Flask, jsonify
from flask_principal import Principal, Permission, RoleNeed
app = Flask(__name__)
principals = Principal(app)
admin_permission = Permission(RoleNeed('admin'))
@app.route('/admin', methods=['GET'])
@admin_permission.require(http_exception=403)
def admin_page():
return jsonify({'message': 'Welcome, admin!'})
if __name__ == '__main__':
app.run(debug=True)
In this example, the admin_permission allows access to the /admin route only to users with the "admin" role. If the user does not have the required role, a 403 Forbidden error is returned.
How do you restrict access to specific HTTP methods in Flask?
Flask allows you to restrict access to specific HTTP methods for a route using role-based or permission-based authorization. You can create a decorator that checks the user's permissions and grants access based on the HTTP method.
Example of restricting access to the POST method:
def check_permission_for_method(method):
def decorator(f):
@wraps(f)
def decorated_function(*args, **kwargs):
username = request.authorization['username']
user_permissions = permissions.get(users[username]['role'], [])
if method not in user_permissions:
return jsonify({'message': 'Permission denied!'}), 403
return f(*args, **kwargs)
return decorated_function
return decorator
@app.route('/resource', methods=['POST', 'GET'])
@check_permission_for_method('create')
def create_resource():
return jsonify({'message': 'Resource created'}), 201
In this example, the check_permission_for_method() decorator ensures that the user has the "create" permission before allowing access to the POST method.
How do you revoke user access in Flask?
To revoke a user's access, you can either modify their role or permissions in your data store, or, in the case of token-based authentication, you can revoke their tokens by blacklisting them.
Example of token revocation using Flask-JWT-Extended:
blacklist = set()
@jwt.token_in_blocklist_loader
def check_if_token_in_blacklist(jwt_header, jwt_payload):
return jwt_payload['jti'] in blacklist
@app.route('/revoke', methods=['POST'])
@jwt_required()
def revoke_token():
jti = get_jwt()['jti']
blacklist.add(jti)
return jsonify({'message': 'Token revoked'}), 200
In this example, the token's unique identifier (JTI) is added to the blacklist during revocation, preventing the user from accessing any protected routes.
How do you manage session-based authorization in Flask?
In session-based authorization, access is controlled by checking the user's session data stored on the server. You can assign roles or permissions when the user logs in and store this information in the session, which can be checked later to authorize access to protected routes.
Example of session-based authorization:
from flask import Flask, session, redirect, url_for, jsonify
app = Flask(__name__)
app.secret_key = 'supersecretkey'
users = {
"admin": {"password": "adminpass", "role": "admin"},
"user": {"password": "userpass", "role": "user"}
}
@app.route('/login', methods=['POST'])
def login():
username = request.json.get('username')
password = request.json.get('password')
user = users.get(username)
if not user or user['password'] != password:
return jsonify({'message': 'Invalid credentials'}), 401
session['username'] = username
session['role'] = user['role']
return jsonify({'message': 'Login successful'}), 200
@app.route('/admin', methods=['GET'])
def admin_page():
if 'role' in session and session['role'] == 'admin':
return jsonify({'message': 'Welcome, admin!'})
return jsonify({'message': 'Access denied!'}), 403
if __name__ == '__main__':
app.run(debug=True)
In this example, the user's role is stored in the session, and access to the /admin route is restricted based on the session role.
How do you implement access control for API resources in Flask?
Access control for API resources can be implemented using token-based authentication, combined with role- or permission-based access control. Flask-RESTful and Flask-JWT-Extended are commonly used for this purpose.
Example of access control for API resources:
from flask_restful import Resource
from flask_jwt_extended import jwt_required, get_jwt
class AdminResource(Resource):
@jwt_required()
def get(self):
claims = get_jwt()
if claims['role'] != 'admin':
return {'message': 'Access denied!'}, 403
return {'message': 'Welcome, admin!'}
api.add_resource(AdminResource, '/admin-resource')
In this example, only users with the "admin" role are allowed to access the /admin-resource route. The role is checked from the JWT token.