This project is a full implementation of token-based authentication for Flask--everything but the frontend. Weakly based on Twitter, it shows how to conditionally protect routes for the following functions:
- Creating a post
- Getting a personal "timeline" of posts
- Following other users
- Deleting posts
Note: While the Auth and App servers are combined here, the two services could exist separately, because JWTs are stateless. (Just make sure you have the secret key on both systems at deployment, as it's symmetric encryption.)
Credit: Mark Macneil
The first step, which at this point is completely unprotected, is to create an account at the /signup route with the following payload:
{
"username":"joey2go",
"password":"bestpass123"
}This step returns nothing to the user except a 200 Successful status, assuming the username is available (UNIQUE constraint on the Users table). A user is created in the Users table.
Next, the user logs in with those same credentials at the /login route:
{
"username":"joey2go",
"password":"bestpass123"
}If successful, the server returns the bearer token (to be used with every subsequent request):
{
"status": 200,
"token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOjcsImlhdCI6MTY3Mjk2OTAyNywiZXhwIjoxNjcyOTcyNjI3fQ.OFLKAgJzUQ4_p_HT455TaKLmPXRNU-31R_n2GXjLdNs"
}In progress...
- Database proxy (currently, connection is opened and closed for every query)
- Redesign so that deleting a post puts a marker on it instead of deleting it from the DB
- More secure way to check auth for deleting a post?
- Find a better way to check for method type when overloaded on a single route (
/post)