add HTTPCookieAuth for token auth in req cookies #166
Conversation
Not really. This would allow any JS code that runs in your page (like code for one of your dependencies or code that was injected by a malicious user) to send authenticated requests to your server. |
src/flask_httpauth.py
Outdated
| @@ -195,6 +195,50 @@ def ensure_sync(self, f): | |||
| return f | |||
|
|
|||
|
|
|||
| class HTTPCookieAuth(HTTPAuth): | |||
| def __init__(self, scheme=None, realm=None, cookie_name=None): | |||
| super(HTTPCookieAuth, self).__init__(scheme or 'Bearer', realm, cookie_name) | |||
There was a problem hiding this comment.
What is the purpose of scheme or realm when using cookies?
There was a problem hiding this comment.
Scheme mimics the behavior from HTTPTokenAuth with a user-specified header so that when scheme='ApiKey' the entire cookie value is treated as the token. When scheme is any other, the value of the cookie is expected to be a space-delimited value like '<Scheme> <Token>'. Realm isn't used for authentication, but will be passed along in WWW-Authenticate if auth fails.
Yes, good feedback. I should have said that a cookie with those flags helps defend specifically against credential-stealing XSS attacks. Thanks for approving the run. I forgot to lint before submitting this PR, so let me fix that. |
|
|
||
| @cookie_auth.error_handler | ||
| def error_handler(): | ||
| return 'error', 401, {'WWW-Authenticate': 'MyToken realm="Foo"'} |
There was a problem hiding this comment.
This is really not something I can agree with. Here you are mixing your own custom authentication implementation based on cookies with parts of the HTTP Authentication standard, which uses the Authorization header as vehicle for the client to send credentials. There is no good reason to return the WWW-Authenticate header that I can see and I have never seen any implementation that does it.
| @@ -195,6 +195,49 @@ def ensure_sync(self, f): | |||
| return f | |||
|
|
|||
|
|
|||
| class HTTPCookieAuth(HTTPAuth): | |||
| def __init__(self, scheme=None, realm=None, cookie_name=None): | |||
There was a problem hiding this comment.
Scheme and Realm apply to HTTP Authentication. I don't see how they help when using cookies.
| return self.ensure_sync(self.verify_cookie_callback)(cookie) | ||
|
|
||
| def get_auth(self): | ||
| expected_cookie_name = self.cookie_name or 'Authorization' |
There was a problem hiding this comment.
Using a cookie named Authorization is confusing. Does anybody do this? I have never seen it.
|
Hi, thanks for the PR! I'm trying to see how this can benefit other users. What would be the benefit of using a home grown cookie-based authentication that you disguise as being somewhat similar to HTTP Authentication, instead of using what everybody uses with Flask, which is Flask-Login? This isn't more (or less) secure than Flask-Login, so why not go with the solution most people use? I've asked above, I would be curious to know if there is any implementations out there that use a solution like the one you are proposing. |
|
Hi Miguel, I really only needed the The behavior of the WWW-Authenticate header and the scheme/realm is because I was trying to keep all the tests passing after starting with the tests for Thanks for your patience (and sorry for the misguided PR). |
This allows users to create a
HTTPCookieAuth, which is used likeHTTPTokenAuth, but reads the token value from a cookie in the request instead of from an HTTP header.Using a cookie with
httponly=true; samesite=strict; secure=trueflags can be more secure than reading from an HTTP header because the browser will never allow JavaScript to read the token, which defends against XSS attacks sending the token to other servers. It is just sent automatically by the browser along with any request to the site which set the cookie.