Our current version of the API processes all the incoming requests without requiring any kind of authentication. We will use a Flask extension and other packages to use an HTTP authentication scheme to identify the user that originated the request or the token that signed the request. Then, we will use these credentials to apply the permissions that will determine whether the request must be permitted or not. Unluckily, neither Flask nor Flask-RESTful provides an authentication framework that we can easily plug and configure. Thus, we will have to write code to perform many tasks related to authentication and permissions.
We want to be able to create a new user without any authentication. However, all the other API calls are only going to be available for authenticated users.
First, we will install a Flask extension to make it easier for us to work with HTTP authentication, Flask-HTTPAuth, and a package to allow us to hash a password and check whether a provided password is valid or not, passlib.
We will create a new User model that will represent a user. The model will provide methods to allow us to hash a password and verify whether a password provided for a user is valid or not. We will create a UserSchema class to specify how we want to serialize and deserialize a user.
Then, we will configure the Flask extension to work with our User model to verify passwords and set the authenticated user associated with a request. We will make changes to the existing resources to require authentication and we will new resources to allow us to retrieve existing users and create a new one. Finally, we will configure the routes for the resources related to users.
Once we have completed the previously mentioned tasks, we will run migrations to generate the new table that persists the users in the database. Then, we will compose and send HTTP requests to understand how the authentication and permissions work with our new version of the API.
Make sure you quit the Flask development server. Remember that you just need to press Ctrl + C in the terminal or a Command Prompt window in which it is running. It is time to run many commands that will be the same for either macOS, Linux, or Windows. We can install all the necessary packages with pip with a single command. However, we will run two independent commands to make it easier to detect any problems in case a specific installation fails.
Now, we must run the following command to install Flask-HTTPAuth with pip. This package makes it easy to add basic HTTP authentication to any Flask application:
pip install Flask-HTTPAuth
The last lines for the output will indicate the Flask-HTTPAuth package has been successfully installed:
Installing collected packages: Flask-HTTPAuth Running setup.py install for Flask-HTTPAuth Successfully installed Flask-HTTPAuth-3.2.1
Run the following command to install passlib with pip. This package is a popular one that provides a comprehensive password hashing framework that supports more than 30 schemes. We definitely don't want to write our own error-prone and probably highly insecure password hashing code, and therefore, we will take advantage of a library that provides these services:
pip install passlib
The last lines for the output will indicate the passlib package has been successfully installed:
Installing collected packages: passlib Successfully installed passlib-1.6.5