145 lines
4.0 KiB
ReStructuredText
145 lines
4.0 KiB
ReStructuredText
Introduction
|
|
============
|
|
|
|
|
|
*Flask-DigestAuth* is an `HTTP Digest Authentication`_ implementation
|
|
for Flask_ applications. It authenticates the user for the protected
|
|
views.
|
|
|
|
HTTP Digest Authentication is specified in `RFC 2617`_.
|
|
|
|
|
|
Why HTTP Digest Authentication?
|
|
-------------------------------
|
|
|
|
*HTTP Digest Authentication* has the advantage that it does not send
|
|
the actual password to the server, which greatly enhances the
|
|
security. It uses the challenge-response authentication scheme. The
|
|
client returns the response calculated from the challenge and the
|
|
password, but not the original password.
|
|
|
|
Log in forms has the advantage of freedom, in the senses of both the
|
|
visual design and the actual implementation. You may implement your
|
|
own challenge-response log in form, but then you are reinventing the
|
|
wheels. If a pretty log in form is not critical to your project, HTTP
|
|
Digest Authentication should be a good choice.
|
|
|
|
Flask-DigestAuth works with Flask-Login_. Log in protection can be
|
|
separated with the authentication mechanism. You can create protected
|
|
Flask modules without knowing the actual authentication mechanisms.
|
|
|
|
|
|
Installation
|
|
------------
|
|
|
|
You can install Flask-DigestAuth with ``pip``:
|
|
|
|
::
|
|
|
|
pip install Flask-DigestAuth
|
|
|
|
You may also install the latest source from the
|
|
`Flask-DigestAuth GitHub repository`_.
|
|
|
|
::
|
|
|
|
pip install git+https://github.com/imacat/flask-digestauth.git
|
|
|
|
|
|
Configuration
|
|
-------------
|
|
|
|
Flask-DigestAuth takes the configuration ``DIGEST_AUTH_REALM`` as the
|
|
realm. The default realm is ``Login Required``.
|
|
|
|
|
|
Setting the Password
|
|
--------------------
|
|
|
|
The password hash of the HTTP Digest Authentication is composed of the
|
|
realm, the username, and the password. Example for setting the
|
|
password:
|
|
|
|
::
|
|
|
|
from flask_digest_auth import make_password_hash
|
|
|
|
user.password = make_password_hash(realm, username, password)
|
|
|
|
The username is part of the hash. If the user changes their username,
|
|
you need to ask their password, to generate and store the new password
|
|
hash.
|
|
|
|
See :func:`flask_digest_auth.algo.make_password_hash`.
|
|
|
|
|
|
Flask-DigestAuth Alone
|
|
----------------------
|
|
|
|
Flask-DigestAuth can authenticate the users alone.
|
|
|
|
See :ref:`example-alone-simple` and :ref:`example-alone-large`.
|
|
|
|
|
|
Flask-Login Integration
|
|
-----------------------
|
|
|
|
Flask-DigestAuth works with Flask-Login_. You can write a Flask
|
|
module that requires log in, without specifying how to log in. The
|
|
application can use either HTTP Digest Authentication, or the log in
|
|
forms, as needed.
|
|
|
|
To use Flask-Login with Flask-DigestAuth,
|
|
``login_manager.init_app(app)`` must be called before
|
|
``auth.init_app(app)``.
|
|
|
|
The currently logged-in user can be retrieved at
|
|
``flask_login.current_user``, if any.
|
|
|
|
See :ref:`example-flask-login-simple` and
|
|
:ref:`example-flask-login-large`.
|
|
|
|
The views only depend on Flask-Login, but not the Flask-DigestAuth.
|
|
You can change the actual authentication mechanism without changing
|
|
the views.
|
|
|
|
|
|
Session Integration
|
|
-------------------
|
|
|
|
Flask-DigestAuth features session integration. The user log in
|
|
is remembered in the session. The authentication information is not
|
|
requested again. This is different to the practice of the HTTP Digest
|
|
Authentication, but is convenient for the log in accounting.
|
|
|
|
|
|
Log In Bookkeeping
|
|
------------------
|
|
|
|
You can register a callback to run when the user logs in, for ex.,
|
|
logging the log in event, adding the log in counter, etc.
|
|
|
|
::
|
|
|
|
@auth.register_on_login
|
|
def on_login(user: User) -> None:
|
|
user.visits = user.visits + 1
|
|
|
|
See :meth:`flask_digest_auth.auth.DigestAuth.register_on_login`.
|
|
|
|
|
|
Log Out
|
|
-------
|
|
|
|
Flask-DigestAuth supports log out. The user will be prompted for the
|
|
new username and password.
|
|
|
|
See :meth:`flask_digest_auth.auth.DigestAuth.logout`.
|
|
|
|
|
|
.. _HTTP Digest Authentication: https://en.wikipedia.org/wiki/Digest_access_authentication
|
|
.. _RFC 2617: https://www.rfc-editor.org/rfc/rfc2617
|
|
.. _Flask: https://flask.palletsprojects.com
|
|
.. _Flask-Login: https://flask-login.readthedocs.io
|
|
.. _Flask-DigestAuth GitHub repository: https://github.com/imacat/flask-digestauth
|