Flask-RESTful and Flask-JWT: User authentication and authorization in Python web applications-Python Tutorial-php.cn

Flask-RESTful and Flask-JWT: User authentication and authorization in Python web applications

WBOY

Release： 2023-06-17 10:42:58

Original

1600 people have browsed it

In modern web applications, user authentication and authorization are very critical security measures. With the popularity and usage of Python, Flask-RESTful and Flask-JWT have become the preferred solutions for user authentication and authorization in Python web applications. This article will introduce in detail the use of Flask-RESTful and Flask-JWT, and how to implement user authentication and authorization in Python web applications.

Introduction to Flask-RESTful

Flask-RESTful is an extension library of Flask that can help quickly build RESTful API interfaces. It provides many useful functions, such as input validation, request parsing, etc. With Flask-RESTful, we can easily build a simple Web API. Here is a simple example:

from flask import Flask
from flask_restful import Resource, Api

app = Flask(__name__)
api = Api(app)

class HelloWorld(Resource):
    def get(self):
        return {'hello': 'world'}

api.add_resource(HelloWorld, '/')

if __name__ == '__main__':
    app.run(debug=True)

Copy after login

In this example, we create a resource named HelloWorld and add it to api in the object. Finally, we can access the HelloWorld resource through the / route. When we access the / route, call the get method of the HelloWorld resource and return a JSON response {'hello': 'world'}.

Introduction to Flask-JWT

Flask-JWT is another extension library for Flask for implementing JSON Web Token (JWT) authentication in web applications. JWT is an open standard for securely transmitting information between users and servers. It is based on JSON and usually consists of three parts, namely header, payload and signature. The header contains the JWT type and algorithm information used, the payload contains the data information that needs to be transmitted, and the signature is used to verify whether the data is correct. Flask-JWT simplifies the generation and verification of JWT, making it easier to implement user authentication in web applications. Here is a simple example:

from flask import Flask
from flask_jwt import JWT, jwt_required, current_identity
from werkzeug.security import safe_str_cmp

app = Flask(__name__)
app.config['SECRET_KEY'] = 'super-secret'

class User(object):
    def __init__(self, id, username, password):
        self.id = id
        self.username = username
        self.password = password

    def __str__(self):
        return f"User(id='{self.id}', username='{self.username}')"

users = [
    User(1, 'user1', 'password'),
    User(2, 'user2', 'password')
]

username_table = {u.username: u for u in users}
userid_table = {u.id: u for u in users}

def authenticate(username, password):
    user = username_table.get(username, None)
    if user and safe_str_cmp(user.password.encode('utf-8'), password.encode('utf-8')):
        return user

def identity(payload):
    user_id = payload['identity']
    return userid_table.get(user_id, None)

jwt = JWT(app, authenticate, identity)

@app.route('/protected')
@jwt_required()
def protected():
    return {'hello': current_identity.username}

if __name__ == '__main__':
    app.run(debug=True)

Copy after login

In this example, we first define a User class to store the user's authentication information. In the authenticate function, enter a username and password, and the function will return a user object. In the identity function, enter a jwt payload, and the function will return a user object based on the user id in the jwt. By calling the JWT constructor, we add a custom authentication method and a custom user identification method to the application. Finally, the @jwt_required decorator is used in the protected route's decorator to ensure that only authenticated users can access protected resources.

The combination of Flask-RESTful and Flask-JWT

We can use Flask-RESTful and Flask-JWT together to implement a complete web application, including user authentication and authorization mechanisms. The following is a simple example:

from flask import Flask
from flask_restful import Resource, Api, reqparse
from flask_jwt import JWT, jwt_required, current_identity
from werkzeug.security import safe_str_cmp

app = Flask(__name__)
app.config['SECRET_KEY'] = 'super-secret'
api = Api(app)

class User(object):
    def __init__(self, id, username, password):
        self.id = id
        self.username = username
        self.password = password

    def __str__(self):
        return f"User(id='{self.id}', username='{self.username}')"

users = [
    User(1, 'user1', 'password'),
    User(2, 'user2', 'password')
]

username_table = {u.username: u for u in users}
userid_table = {u.id: u for u in users}

def authenticate(username, password):
    user = username_table.get(username, None)
    if user and safe_str_cmp(user.password.encode('utf-8'), password.encode('utf-8')):
        return user

def identity(payload):
    user_id = payload['identity']
    return userid_table.get(user_id, None)

jwt = JWT(app, authenticate, identity)

class HelloWorld(Resource):
    def get(self):
        return {'hello': 'world'}

class Secret(Resource):
    @jwt_required()
    def get(self):
        return {'secret': 'resource', 'user': current_identity.username}

class Login(Resource):
    def post(self):
        parser = reqparse.RequestParser()
        parser.add_argument('username', type=str, help='Username cannot be blank', required=True)
        parser.add_argument('password', type=str, help='Password cannot be blank', required=True)
        args = parser.parse_args()
        
        user = authenticate(args['username'], args['password'])
        if user:
            return {'access_token': jwt.jwt_encode_callback({'identity': user.id})}
        else:
            return {'message': 'Invalid username or password'}, 401

api.add_resource(HelloWorld, '/')
api.add_resource(Secret, '/secret')
api.add_resource(Login, '/login')

if __name__ == '__main__':
    app.run(debug=True)

Copy after login

In this example, in addition to defining the HelloWorld resource, we also define the Secret resource and Loginresource. In the Secret resource, pass the @jwt_required decorator to ensure that only authenticated users have access. In the Login resource, we parse the POST request and use the authenticate function to verify the user's identity information. If the verification is successful, the JWT token is returned, otherwise a 401 status code is returned. Finally, we added all the resources to the api object and started the web application using Flask's run method.

Summary

In Python web application development, Flask-RESTful and Flask-JWT are very useful extension libraries. Through them, we can easily build and secure Web APIs and add user authentication and authorization mechanisms to web applications. Using Flask-RESTful and Flask-JWT can reduce our development time and development costs, making it easier for us to implement the functions of web applications.

The above is the detailed content of Flask-RESTful and Flask-JWT: User authentication and authorization in Python web applications. For more information, please follow other related articles on the PHP Chinese website!