flask-htpasswd 0.5.0

Basic authentication support via htpasswd files in flask applications

Flask extension for providing basic digest and token authentication via apache htpasswd files. So largely it fits between Flask-Security which has additional dependencies and Flask-BasicAuth which only allows you to have one user (and also puts the plain text password into the configuration).

Sample usage is to first create an htpasswd file with the apache tool:

htpasswd -c /path/to/.htpasswd my_username

Additional users can be added, or have their passwords changed, by running:

htpasswd /path/to/.htpasswd new_user
htpasswd /path/to/.htpasswd user_I_want_to_change_passwords_for

Then you just need to setup and configure your flask application, with something like:

import flask
from flask_htpasswd import HtPasswdAuth

app = flask.Flask(__name__)
app.config['FLASK_HTPASSWD_PATH'] = '/path/to/.htpasswd'
app.config['FLASK_SECRET'] = 'Hey Hey Kids, secure me!'

htpasswd = HtPasswdAuth(app)


@app.route('/')
@htpasswd.required
def index(user):
    return 'Hello {user}'.format(user=user)

app.run(debug=True)

And that view should now prompt for a username and password (and accept tokens).

If you would like to protect all of your views, that is easy too, just add a little config. By setting app.config['FLASK_AUTH_ALL']=True before initializing the extension, an @app.before_request is added that will require auth for all pages, and it will add the user as flask.g.user.

One last small feature, is that you can also set the authentication realm. The default is ‘Login Required’, but it can be set with app.config['FLASK_AUTH_REALM'] before initialization.

Using Tokens

Tokens are based on the username and password, and thus invalid whenever the user’s password is changed. To get a user password, you can serve it out to the user with something like

import flask
from flask_htpasswd import HtPasswdAuth

app = flask.Flask(__name__)
app.config['FLASK_HTPASSWD_PATH'] = '/path/to/.htpasswd'
app.config['FLASK_SECRET'] = 'Hey Hey Kids, secure me!'
htpasswd = HtPasswdAuth(app)


@app.route('/')
@htpasswd.required
def index(user):
    return flask.jsonify({'token': htpasswd.generate_token(user)})

app.run(debug=True)

It can then be used by the user by adding it to the header of their requests, something like:

import requests

requests.get('http://localhost:5000/', headers={'Authorization': 'token <token>'})

Release Notes

0.5.0

• Switch from itsdangerous to pyjwt

• Renamed FLASK_SECRET into FLASK_SECRET

0.4.0

• Updated for newer language and Flask versions

• Corrected deprecated passlib API call

0.3.0

• Added function to reload user database

• Added user to flask.g with FLASK_AUTH_ALL=True

0.2.0

• Python 3 compatibility

Acknowledgements

This is largely based on a combination of:

• https://flask-basicauth.readthedocs.io/en/latest/

• https://flask.pocoo.org/snippets/8/

• https://blog.miguelgrinberg.com/post/restful-authentication-with-flask

Links

• documentation

• development version