In modern web applications, user authentication and authorization are very critical security measures. With the popularity and usage of Python, Flask-RESTful and Flask-JWT have become the preferred solutions for user authentication and authorization in Python web applications. This article will introduce in detail the use of Flask-RESTful and Flask-JWT, and how to implement user authentication and authorization in Python web applications.
Introduction to Flask-RESTful
Flask-RESTful is an extension library of Flask that can help quickly build RESTful API interfaces. It provides many useful functions, such as input validation, request parsing, etc. With Flask-RESTful, we can easily build a simple Web API. Here is a simple example:
from flask import Flask from flask_restful import Resource, Api app = Flask(__name__) api = Api(app) class HelloWorld(Resource): def get(self): return {'hello': 'world'} api.add_resource(HelloWorld, '/') if __name__ == '__main__': app.run(debug=True)
In this example, we create a resource namedHelloWorldand add it toapiin the object. Finally, we can access theHelloWorldresource through the/route. When we access the/route, call thegetmethod of theHelloWorldresource and return a JSON response{'hello': 'world'}.
Introduction to Flask-JWT
Flask-JWT is another extension library for Flask for implementing JSON Web Token (JWT) authentication in web applications. JWT is an open standard for securely transmitting information between users and servers. It is based on JSON and usually consists of three parts, namely header, payload and signature. The header contains the JWT type and algorithm information used, the payload contains the data information that needs to be transmitted, and the signature is used to verify whether the data is correct. Flask-JWT simplifies the generation and verification of JWT, making it easier to implement user authentication in web applications. Here is a simple example:
from flask import Flask from flask_jwt import JWT, jwt_required, current_identity from werkzeug.security import safe_str_cmp app = Flask(__name__) app.config['SECRET_KEY'] = 'super-secret' class User(object): def __init__(self, id, username, password): self.id = id self.username = username self.password = password def __str__(self): return f"User(id='{self.id}', username='{self.username}')" users = [ User(1, 'user1', 'password'), User(2, 'user2', 'password') ] username_table = {u.username: u for u in users} userid_table = {u.id: u for u in users} def authenticate(username, password): user = username_table.get(username, None) if user and safe_str_cmp(user.password.encode('utf-8'), password.encode('utf-8')): return user def identity(payload): user_id = payload['identity'] return userid_table.get(user_id, None) jwt = JWT(app, authenticate, identity) @app.route('/protected') @jwt_required() def protected(): return {'hello': current_identity.username} if __name__ == '__main__': app.run(debug=True)
In this example, we first define aUserclass to store the user's authentication information. In theauthenticatefunction, enter a username and password, and the function will return a user object. In theidentityfunction, enter a jwt payload, and the function will return a user object based on the user id in the jwt. By calling theJWTconstructor, we add a custom authentication method and a custom user identification method to the application. Finally, the@jwt_requireddecorator is used in theprotectedroute's decorator to ensure that only authenticated users can access protected resources.
The combination of Flask-RESTful and Flask-JWT
We can use Flask-RESTful and Flask-JWT together to implement a complete web application, including user authentication and authorization mechanisms. The following is a simple example:
from flask import Flask from flask_restful import Resource, Api, reqparse from flask_jwt import JWT, jwt_required, current_identity from werkzeug.security import safe_str_cmp app = Flask(__name__) app.config['SECRET_KEY'] = 'super-secret' api = Api(app) class User(object): def __init__(self, id, username, password): self.id = id self.username = username self.password = password def __str__(self): return f"User(id='{self.id}', username='{self.username}')" users = [ User(1, 'user1', 'password'), User(2, 'user2', 'password') ] username_table = {u.username: u for u in users} userid_table = {u.id: u for u in users} def authenticate(username, password): user = username_table.get(username, None) if user and safe_str_cmp(user.password.encode('utf-8'), password.encode('utf-8')): return user def identity(payload): user_id = payload['identity'] return userid_table.get(user_id, None) jwt = JWT(app, authenticate, identity) class HelloWorld(Resource): def get(self): return {'hello': 'world'} class Secret(Resource): @jwt_required() def get(self): return {'secret': 'resource', 'user': current_identity.username} class Login(Resource): def post(self): parser = reqparse.RequestParser() parser.add_argument('username', type=str, help='Username cannot be blank', required=True) parser.add_argument('password', type=str, help='Password cannot be blank', required=True) args = parser.parse_args() user = authenticate(args['username'], args['password']) if user: return {'access_token': jwt.jwt_encode_callback({'identity': user.id})} else: return {'message': 'Invalid username or password'}, 401 api.add_resource(HelloWorld, '/') api.add_resource(Secret, '/secret') api.add_resource(Login, '/login') if __name__ == '__main__': app.run(debug=True)
In this example, in addition to defining theHelloWorldresource, we also define theSecretresource andLoginresource. In theSecretresource, pass the@jwt_requireddecorator to ensure that only authenticated users have access. In theLoginresource, we parse the POST request and use theauthenticatefunction to verify the user's identity information. If the verification is successful, the JWT token is returned, otherwise a 401 status code is returned. Finally, we added all the resources to theapiobject and started the web application using Flask'srunmethod.
Summary
In Python web application development, Flask-RESTful and Flask-JWT are very useful extension libraries. Through them, we can easily build and secure Web APIs and add user authentication and authorization mechanisms to web applications. Using Flask-RESTful and Flask-JWT can reduce our development time and development costs, making it easier for us to implement the functions of web applications.
The above is the detailed content of Flask-RESTful and Flask-JWT: User authentication and authorization in Python web applications. For more information, please follow other related articles on the PHP Chinese website!
![[Web front-end] Node.js quick start](https://img.php.cn/upload/course/000/000/067/662b5d34ba7c0227.png)
