我正在尝试在我的烧瓶应用程序中进行身份验证。登录后,用户将被重定向到受保护的端点/表单。但每次我被重定向时我都会收到消息
{
"msg": "Missing Authorization Header"
}
现在我正在通过参数进行授权,但这不是一个好的方法。
app = Flask(__name__)
app.config['JWT_SECRET_KEY'] = 'super-secret'
app.config['SECRET_KEY'] = 'your_secret_key_here'
jwt = JWTManager(app)
@app.route('/login', methods=['GET', 'POST'])
def login():
if request.method == 'POST':
username = request.form.get('username')
password = request.form.get('password')
if not username or not password:
return jsonify({"msg": "Missing username or password"}), 400
if authenticate(username, password):
access_token = create_access_token(identity={'username': username})
tokens[username] = access_token
response = redirect(url_for('forms', username=username, access_token=access_token))
response.headers['Authorization'] = 'Bearer ' + access_token
return response
return redirect(url_for('forms', username=username, access_token=access_token))
else:
return jsonify({"msg": "Invalid username or password"}), 401
else:
return render_template('login.html')
def check_key_and_token(username, access_token):
if username not in tokens.keys():
return jsonify({"msg": "Invalid username"}), 401
if not access_token:
return jsonify({"msg": "Missing token"}), 401
if access_token == tokens[username]:
return True
else:
return jsonify({"msg": "Invalid token"}), 401
@app.route('/<username>/forms', methods=['GET', 'POST'])
@jwt_required()
def forms(username):
access_token = request.args.get('access_token')
if check_key_and_token(username, access_token) is not True:
return check_key_and_token(username, access_token)
if request.method == 'POST':
input_text = request.form.get('input_text')
return redirect(url_for('weather', username=username, access_token=access_token, city=input_text))
else:
return render_template('forms.html')
```
Does anybody know how to make it work?
安全方面有一条通用原则,即不应重新发明某些东西,因为你可能会把它搞砸(不是说你不擅长,而是太容易搞砸了)。我建议使用像 Flask_login 这样的包。