Description
I am developing a mobile application lately with Swift on iOS, with a provided and working back-end written in Python, with the Flask framework. The back-end project utilises a set of plugins named flask-security to handle login and user-related work.
This is an awesome plugin that works right out of the box. Almost little to no configuration is needed and it works like a charm on the webpage. It utilises a session-based authentication method that stores the key to sensitive information in browsers as cookies, which expires after a certain amount of time for security purposes.
Although session-based authentication is a viable way to set up a web application, this poses certain issues to a mobile client where we cannot store cookies like browsers and shall not record user password and send them out over and over again in every HTTP request.
Initial Solution
Therefore, we will need a token-based authentication method, where a JSON Web Token (JWT) is issued the first time we log in. For all following requests, we package this JWT in the header as a way of verifying legit requests. For our particular plugin flask-security, this is done by sending an application-json request instead of x-www-form-urlencoded to the endpoint login.
BUT…
But, the problem is not that easy. This is where Cross-Site Request Forgery (CSRF) comes into play. If we allow clients to simply authenticate by sending a JSON request with username and password, any other websites can fake that and make malicious requests. How to deal with this and have token-based authentication with CSRF protection at the same time?
More
For more information, checkout
- Flask-Security 3.0.0 Features