在Flask中存储没有数据库的Oauth2 access_token
[英]Storing Oauth2 access_token without a database in Flask
问题描述
I'm working with the imgur api . 
我正在使用imgur api 。 I'm using Flask without a db. 我正在使用没有数据库的Flask。
I'm trying to access a single dedicated account, so there won't be more than one user account in this app (thus i just have to manually authorize it once and do the rest with the tokens the service gives to me , no need for a database). 我正在尝试访问一个专用帐户,因此该应用程序中不会有一个以上的用户帐户(因此,我只需要手动对其进行一次授权,并使用该服务提供给我的令牌进行其余操作,无需用于数据库)。 Once authorized the app on the account, Imgur gives me two tokens: an access_token that expires after an hour and a refresh_token that doesn't expire and can be used to request a new access_token. 在帐户上授权该应用程序后,Imgur会给我两个令牌:一个小时后过期的access_token和一个不过期且可用于请求新的access_token的refresh_token。
I can't think any method different that this to send correct requests to the server using this two tokens and refreshing the access one only when needed: 我认为没有其他方法可以使用这两个令牌向服务器发送正确的请求,并仅在需要时刷新访问权限,这才是不同的:
from flask import Flask
from foobar import foo, bar
import config
app = Flask(__name__)
app.config.from_object(config)
#I initialize the access_token with the value hardcoded in the config file
access_token = config.access_token
@app.route('/',methods=['POST'])
def home():
#I access the value i initialized when starting the server
global access_token
if request.method == 'POST':
#I send the access_token to a method that contacts Imgur servers and checks if it's still valid. If not it will request and return a new one.
access_token = foo(access_token)
#I send the token, now sure it's always a valid one, to the rest of the logic that uses it to do actual requests
bar(access_token)
This works. 这可行。 As long i don't restart the server it will require a new access_token only if needed, but it doesn't really look a good way of doing things. 只要我不重新启动服务器,它仅在需要时才需要一个新的access_token,但它实际上并不是一种好的处理方式。 The idea of hardcoding a token that expires in an hour sounds really silly and i don't really know if using that global variable there could be a good practice nor if it would be reinitialized from the config file in some scenario i'm currently ignoring. 对一个小时内到期的令牌进行硬编码的想法听起来很愚蠢,我真的不知道是否使用该全局变量是否可以作为一种很好的做法,或者在我当前忽略的某些情况下是否可以从配置文件中对其进行初始化。 How can i avoid this? 我如何避免这种情况? I should write the new refreshed access_token on a file and load it from there in the config? 我应该在文件上写入新的刷新的access_token并从那里将其加载到配置中? Does that create security concerns? 这会带来安全隐患吗?
Also, the refresh_token doesn't expire so i think there is no problem on storing it in the cofing file, but sill every time i request an access_token it also gives me a new refresh_token, should i update that too? 另外,refresh_token不会过期,所以我认为将其存储在cofing文件中没有问题,但是每次我请求一个access_token时,窗台也会给我一个新的refresh_token,我也应该更新它吗? It seems unnecessary, the old one still works, but maybe i'm missing something. 似乎没有必要,旧的仍然可以,但是也许我缺少了一些东西。
1 个解决方案
解决方案1
1 2015-11-25 12:28:12
According to imgur's API doc, access_token expires after one month not after one hour. 根据imgur的API文档, access_token在一个月后过期,而不是一小时后过期。 I think it's acceptable method to store it in a file. 我认为将其存储在文件中是可以接受的方法。 You are already storing the refresh_token in the config file, so if an attacker can access the app's directory, it does not matter whether access_token is also there. 您已经将refresh_token存储在配置文件中,因此,如果攻击者可以访问应用程序的目录,则access_token是否也存在也无关紧要。 (Of course you should run the Flask app as a separate user, and all files should be accessible only by that user.) (当然,您应该以单独的用户身份运行Flask应用程序,并且所有文件只能由该用户访问。)
You can also store the expire date along with the access_token , so you can check whether you have the renew it before a request. 您还可以将过期日期与access_token一起存储,以便可以在请求之前检查是否有续订日期。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.