Flask-Login Redirecting to React Client after User has been logged in
I am trying to integrate flask-login with a React application. After the user has been logged in, it appears that flask-login enforces a page redirect.
Since we don't want to redirect to the same page we have to make sure that the actual back redirect is slightly different (only use the submitted data, not the referrer)
Source: https://web.archive.org/web/20120504074405/http://flask.pocoo.org/snippets/62
The difference between what the documentation is showing and what I'm doing is that my client is on a different domain (thus, I will be faced with CORS problems), whereas the documentation's client and server (I assume) on the same domain.
This is evident in this code snippet:
def is_safe_url(target):
ref_url = urlparse(request.host_url)
test_url = urlparse(urljoin(request.host_url, target))
return test_url.scheme in ('http', 'https') and \
ref_url.netloc == test_url.netloc
From above, the function returns true if ref_url.netloc == test_url.netloc (I left out the other portion for simplicity). I looked into the attribute of netloc which turns out to be the domain name without the top-level domain. For example, if the domain name is: domain.com, then the netloc would be domain.
However, for my scenario, that won't work.
For example, frontend: www.frontend.com backend: www.backend.com
The request to login to backend should redirect back to say, www.frontend.com/home. Based off the code presented in the documentation, it would never redirect to the intended destination. So I tried to modify the code a bit and got this:
def is_safe_url(request, target):
ref_url = urlparse(request.host_url)
test_url = urlparse(urljoin(request.host_url, target))
return test_url.scheme in ['http', 'https'] and \
(test_url.netloc == 'localhost:3000' or \
ref_url.netloc == test_url.netloc
)
I figured if I configure the redirect in a way where it checks for a suitable domain (in my example, it would be localhost:3000) and check for domains that are not allowed, then there shouldn't be any security threats here. However, please correct me if I'm missing something.
Sadly, this results in a CORS issue.
I would also like to add that most of the examples provided by flask-login is using jinja templating. Something that isn't very clear from the documentation is that should redirects even be used if you aren't using them?
Rest of the code:
def is_safe_url(request, target):
ref_url = urlparse(request.host_url)
test_url = urlparse(urljoin(request.host_url, target))
return test_url.scheme in ['http', 'https'] and \
(test_url.netloc == 'localhost:3000' or \
ref_url.netloc == test_url.netloc
)
def get_redirect_target(request):
for target in request.values.get('next'), request.referrer:
print('target', target)
if not target:
continue
if is_safe_url(request, target):
return target
@user_bp.route('/login', methods=['GET', 'POST'])
def login():
next = get_redirect_target(request)
if current_user.is_authenticated:
return jsonify({ 'login': True })
if request.method == 'POST':
data = request.get_json()
form_input = ImmutableMultiDict(data)
form = UserAuthenticationForm(form_input)
if form.validate():
try:
user = RegisteredUser.query.filter_by(email = data['user']).first() or RegisteredUser.query.filter_by(username = data['user']).first()
if user is not None and user.check_password(data['password']):
login_user(user)
response = redirect(next)
print(response.get_data())
return response
# return jsonify({ 'login': True })
except Exception as e: # Handle a faulty connection to the database
print('Error: ' + str(e))
return jsonify({ 'login': False })
Edit:
CORS Setting:
CORS(app, origins=["http://localhost:3000"], expose_headers=["Content-Type", "X-CSRFToken"], supports_credentials=True)
So I think you're first issue is that you're mixing multi-page web app flow with single page web app flow.
In multipage web apps once you handle the user logging in you normally redirect them to another page so they can start using your app. But in single page web apps you usually dont redirect but instead send a token or something that the client will hold onto that will authenticate them later when they make a future request. For SPAs the app itself dictates the flow of how the user uses the app. For MPAs the server dictates the flow via redirects or other mechanisms.
-A side note, redirect is used in situations like OAuth for authentication for SPAs.
Also in the code in that blog is showing how to do a safe redirect but really its also doing something else. The next input that is in the form is a way to store the page where the user came from so that after they login you can give them a better user experience and redirect them back to what they wanted. Example I have a bookmark to a page that I use everyday however my login session as expired. So the backend saves that url to next and redirects me to the login page and adds next to the page so that once I login next will be sent to the server and now it can redirect me back to the bookmarked page. In react we dont need this cause I can store this info in the app itself and then once I log in I can show the appropriate page via react code.
Now you are wanting to use flask-login which is fine. What you need to do is in your react app do a javascript post request to the backend at the login endpoint. So backend.com/login for example as the login endpoint. When the login is successful you should ignore the default redirect behavior and grab the id that is returned in the session header. From now on you use that id as a session header on all future requests and everything should work fine.
Now you do have CORS to work with. So you have two servers. frontend.com and backend.com. frontend.com serves your react app and backend.com is the api and authentication.
You need to enable CORS on backend.com and whitelist frontend.com. This will tell backend.com that any requests from a client that originated from frontend.com is fine and should be processed. Else it should return a CORS error.
- Python Polars unable to convert f64 column to str and aggregate to list
- Why does casting a column with numeric Categorical datatype to an integer in Polars result in unexpected behavior?
- I can't seem to get a function in one class to properly call a function in another class in tkinter - Python
- Polars YYYY week into a date
- How can I drop duplicate rows from a Polars DataFrame according to a custom function?
- How can I break out of multiple loops?
- Cannot find play button on a web page in selenium using python
- django.db.utils.ProgrammingError: column "role" of relation "APP_profile" does not exist
- Dynamically change one of f-string variables
- How to read an existing worksheet table with Openpyxl?
- How to filter DataFrame by any string column matching any regex pattern in a list?
- How to scrape all customer reviews?
- Cost of exception handlers in Python
- Generate a random derangement of a list
- Epicycloid animation with Matplotlib in Python
- How to use the interval values in a categorial column returned by `.hist()` in Polars?
- Collatz Conjecture in Python
- How to add a custom decorator to a FastAPI route?
- How to transform polars datetime column into a string column?
- Aggregating output from langchain LCEL elements
- Polars - How can I make multiple joins cross multiple Dataframes, examples included
- PyPolars, get value from column based on value in another column without for loop
- How to insert a ui.page_navbar() layout using ui.insert()?
- PyPolars, conditional join on two columns
- Lookup column name in column
- How can I enable CORS on Django REST Framework
- Peeking in a heap in python
- Replace pivot operation for use in lazy evaluation with polars
- BeautifulSoup getting href of a list - need to simplify the script - replace multiprocessing
- Teardown method from add_finalizer of PyTest fixture doesn't work