I have a pretty simple webapp in flask that displays some data from a PostgreSQL database using Chart.js. For this purpose, I have a route '/plot' under @login_required that an already logged in user can POST to render the plots.
I thought it would be cool adding some functionality similar to Google's "People with the link can access" to the webpage, so that a special link is generated allowing clients that are not registered in the webapp to POST the corresponding data to '/plot' and enjoy the charts, overcoming the @login_required but having access only to that specific data the original user chose to share.
What is the best way to implement such a functionality? And does it have any specific name? I was not able to find much information about it unfortunately.
Thank you in advance
I already have the webapp working for logged users. I am expecting to create these special links to allow external clients to access specific data without needing to register, but in a secure way
So from my understanding you have the route '/plot' to take POST requests to render some plot. And you want it to take a special link that allows '/plot' to be used temporarily without a login, i.e changes with the link itself and not the data on the server
Just to be clear Google's "People with the link can access" does not work in the same way as I said above. In Google's case the link is always the same however the file permissions on the server are changed instead.
What is the best way to implement such a functionality?
The best way would be to use a short string for authorizing that the access links used are valid and have permission to the requested resources.
And does it have any specific name?
What you're looking to do is authorization with a token
The secure way of doing this would be to give the user the link with the token and when accessed check if the token is valid. How you create and maintain this token on server is upto you whether with your database or you're using some libararies like JWT or itsdangerous . However your request route will mostly be the same as:
@app.route('/plot/<string:token>', methods=['POST'])
def plot_with_parameter(token):
if request.method == 'POST':
# eg you access a database with sqlalchemy
token = access_tokens.query.filter_by(id=token).first()
if token:
if datetime.datetime.utcnow() < token.expiration_time:
#Handle Access successful
else:
#Handle Token expired
else:
#Handle Invalid token
In the example above you can have a table access_tokens that stores the tokens as IDs along with relevant data like expiration time, number of max uses allowed etc. and link you give to your users will be like www.example.com/plot/tokenstring