I setup Flask-Security for my single-page app - and ran into the CSRFToken issue that a lot of people have had (Flask-Security CSRF token). From my web app, I put the CSRFToken in HTML, scrape the page to find it, and use it to send in my login request from Angular as a request header in my POST.
This works out well, however, what is the procedure to protect APIs if I'm accessing them via ajax from a mobile app? Because what I would assume I need to do is to first login from the mobile app, store my auth_token, and use that on subsequent API calls.
The problem here... Do I need to do a get on my /login page, scrape for CSRF token, use that to send a login request to my server, get the auth token first?? Scraping HTML for a CSRF token from mobile apps over REST seems kinda sketch.
Also, quick aside: I'm not sure if I should guard APIs as:
@login_required
/api/v1/foo
or
@auth_token_required
/api/v1/foo
I am not sure flask-security has been designed to protect APIs. CSRF Token has been designed to protect your login form from automated login. If this is really what you want, you would probably better disable it (but this is probably a bad idea).
Take a look at how other have protected their APIs. To my knowledge, nobody use a password scheme to protect a mobile API. You should probably generate a unique key for each user and have your mobile app pass this key in a header to your API HTTP calls.