I'm currently working on a small tool which uses a login based on Google OAuth 2.0. My server is written in Python and uses Flask.
Following Google's Python implementation, the credentials are stored in a session object:
https://developers.google.com/identity/protocols/oauth2/web-server#python
I'm confused by the fact that the session object also stores the client_secret which is then transmitted to the end-user as part of the cookie. As far as I understand, a Flask session cookie should never be used to store sensitive data.
Any thoughts on this? What's a secure way of storing all necessary data in a session to make multiple queries to the Google APIs?
I have seen approaches using Flask-Session but I'd like to avoid running a separate Redis/memcached service or storing all cookies on disk.
Thanks & best regards,
Fabian
Related
I have recently started learning Python. I am currently trying to build a simple Web Application that requires a login to access some paths.
I understand that this can be achieved by using something like session['user']=user_id in Flask.
Can somebody help me with how exactly this works? Like where does Flask store the sessions if not in the database table?
It stores it in a cookie on the client side. From the official documentation:
This is implemented on top of cookies for you and signs the cookies cryptographically. What this means is that the user could look at the contents of your cookie but not modify it, unless they know the secret key used for signing.
If you need server-side session store, there is an extension called Flask-Sessionstore that lets you choose the method of storage, including server-side DBs.
I'm trying to submit a query into Google's BigQuery and retrieve results - all from a python script. While there's straightforward documentation on doing so, the only option that I've found for querying from private tables/collections is to use an authorization code. However, this python script is utilized via a webpage used by users who know nothing about code - therefore there is no room to get/submit authorization codes, as the user simply uses the webpage and python script by clicking a few buttons. Is there any way to get the authorization code and submit it behind the scenes, or to query a private table without an authorization code altogether (best option)? Thanks so much!
You can use a service account:
Client libraries can use Application Default Credentials to easily
authenticate with Google APIs and send requests to those APIs. With
Application Default Credentials, you can test your application locally
and deploy it without changing the underlying code
https://cloud.google.com/bigquery/authentication#bigquery-authentication-python
I'm building a little application in Python. I use PySide for the GUI and Django to read data from my web application.
Everything works well, but I have a login access, like dropbox application.
I want to store this informations on the current machine (like a session, I don't want to login every time I open the application).
Now my question is, what is the safest way to do this? Environment variables?
Usually when you have an API that you're exposing in your app to the outer world (even your own desktop/mobile app), you'll design this API to be stateless, as part of the REST architecture. So your app should always include an HTTP header or any other method of carrying an authentication token that will let your API identify the user.
You only log in once, and when the log-in procedure is successful you should get an authentication token from your API, and then you will store this token somewhere safe.
You can also look into implementing OAuth2 for the authentication.
I am trying to create some Glassware with the Mirror API. I am new to using AppEngine and Jinja2. I have python experience but never with a web framework before. So basically I am very new at this.
I have modified the Python quickstart for the mirror API to include many of my endpoints and designs. Basically I want to be able to be able to POST data from a constrained device to Glass. I have an endpoint all setup which works to accept and parse out the data and send the timeline item.
My problem is that the device itself is acting all on it's own and cannot provide input, therefore when I call my app from it e.g. https://foo.appspot.com?operation=deviceData the app presents the auth page and then nothing happens. I can see in the logs that the auth page is being sent, but the device has no idea what to do with this.
Basically, I need a way where I can hardcode credentials and get around having to do oauth everytime. What is the recommended way to do this? Another app which doesn't require auth which passes the data along? This would be fine as I only need to set this up with one user right now, it is for an internal demo only.
Is it possible to set my credentials in a header and auth automatically without handling any return, more like how basic auth works?
There are also the "Simple API access" keys. Would these work in this situation, I tried creating browser and server keys and tried them on the device and in the browser by doinghttps://foo.appspot.com?operation=deviceData&key=KEY_HERE but in both cases I was still prompted to login. Is this what simple access keys are for? Do they not work with the mirror API?
Basically my question is, what's the easiest way to allow access to my apps endpoints without having to oAuth or having a hard coded user which auto-auths?
Here is the project that I started with: https://github.com/googleglass/mirror-quickstart-python
I am pretty new to web development. I am working with Flask, Sqlalchemy and Postgresql.
As far as I have understood, every new request is like a new thread of the program. New sqlalchemy session is created using which we manage our db operations and return a response. After that new thread is also closed and connections returned to the pool.
I login a user and get all user data in an user orm object. I stored it in flask session variable which uses cookie. Now I also want to save some other user related data for the span of whole user session not a request. I have doubts storing all that data in a cookie for 2 reasons:
1. Unnecessary data travel back and forth.
2. data can be read easily.
Are my doubts valid?
So my other questions are :
Am I right on some level to avoid getting some session wide data in each request without getting into the trap of premature optimization?
or
Should I worry about this later when need arises and right now concentrate only on creating a working app?
Alternative to cookie based session is server side session which can be done by using redis or memcache. Where does Beaker library comes into this? Is it a standalone thing or to be used in conjunction with redis or memcache?
Most browsers support cookies of up to 4096 bytes. (Source)
If you want to save more than this than you should use a server-side session backend like Redis or Memcache. It's very easy to replace the default cookie session interface of Flask with a Redis or Memcache interface. There is a great snippet for redis by Armin. If you prefere memcache than you can replace the redis stuff of the snippet with the same memcache methods. ;)