Almost Everything You Ever Wanted to Know About Web Authentication in Python

Everything You Ever
Wanted to Know
About Web Authentication in Python
@rdegges
*Almost

View Slide

I’m Randall Degges
Run Developer Advocacy
at Okta
Python / Node / Go
Hacker

View Slide

The Journey

View Slide

REGISTER LOGIN DASHBOARD

View Slide

0x00 - Getting Set Up

View Slide

Assumptions
Python https://www.python.org
Mongo https://www.mongodb.com/

View Slide

Install Dependencies
$ pip install flask

View Slide

Prepare the App
$ touch server.py
$ mkdir templates
$ touch templates/base.html
$ touch templates/index.html
$ touch templates/register.html
$ touch templates/login.html
$ touch templates/dashboard.html

View Slide

Create Basic Templates
➔ Home
➔ Register
➔ Login
➔ Dashboard

View Slide

Flask Simple Auth: {{ title }}

{% block body %}{% endblock %}

➔ templates/base.html
Home | Login | Register
More HTML

View Slide

{% extends "base.html" %}
{% set title = 'Home' %}
{% block body %}
Flask Simple Auth!

Welcome to Flask Simple Auth! Please login or
register to continue.

{% endblock %}
➔ templates/index.html
Use the base template
Set the title variable
Insert HTML into the body

View Slide

{% set title = 'Register' %}
{% block body %}
Create an Account

First Name:
required=true>

Last Name:
required=true>

Email:
required=true>

Password:
required=true>

{% endblock %}
➔ templates/register.html

View Slide

{% set title = 'Login' %}
{% block body %}
Log Into Your Account

Email:
required=true>

Password:
required=true>

{% endblock %}
➔ templates/login.html

View Slide

{% set title = 'Dashboard' %}
{% block body %}
Dashboard
Welcome to your dashboard! You are now logged
in.
{% endblock %}
➔ templates/dashboard.html

View Slide

Create Basic Web App
➔ Define Views
➔ Render Templates
➔ Start Server

View Slide

from flask import Flask
from flask import render_template
app = Flask(__name__)
@app.route("/")
def index():
return render_template('index.html')
@app.route("/login")
def login():
return render_template('login.html')
@app.route("/register")
def register():
return render_template('register.html')
@app.route("/logout")
def logout():
pass
@app.route("/dashboard")
def dashboard():
return render_template('dashboard.html')
➔ server.py

View Slide

@app.route("/")
def index():
return render_template('index.html')
Run the function below when
the user hits the / url
Return a response to the user

View Slide

$ FLASK_APP=server.py flask run
Create Basic Templates

View Slide

0x01 - Forms

View Slide

First Name:
Last Name:
Email:
Password:

You know... HTML!

View Slide

from flask import jsonify
from flask import request
# ...
@app.route("/register", methods=['GET', 'POST'])
def register():
if request.method == 'POST':
return jsonify(request.form)
Form Data
Tell the function to run for
GET and POST requests

View Slide

0x02 - Databases

View Slide

$ mongo
MongoDB shell version: 3.2.11
>
Mongo

View Slide

> use test;
switched to db test
The Basics
> show collections;
>
Get or create a database
> db.users.insert({ email: "[email protected]", password: "woot!" });
WriteResult({ "nInserted" : 1 })
Show tables
> db.users.find();
{ "_id" : ObjectId("59247d0f3dacfc7ef19a41d2"), "email" : "[email protected]", "password" :
"woot!" }
Create table and insert something
SELECT * FROM users;

View Slide

$ pip install flask-pymongo
app = Flask(__name__)
app.config['MONGO_DBNAME'] = 'flask-simple-auth'
mongo = PyMongo(app)
flask-pymongo

View Slide

from flask import redirect
from flask import url_for
# ...
def register():
mongo.db.users.insert_one(request.form.to_dict())
return redirect(url_for('dashboard'))
Creating Users
Redirect to “/dashboard”

View Slide

> db.users.find()
{
"_id" : ObjectId("59248139c6670c68737612bd"),
"firstName" : "Randall",
"lastName" : "Degges",
"email" : "[email protected]",
"password" : "woot!",
"__v" : 0
}
Verifying

View Slide

@app.route("/login", methods=['GET', 'POST'])
def login():
user = mongo.db.users.find_one({'email': request.form['email']})
if user['password'] == request.form['password']:
Authenticating Users
Find the user by email
Verify the user’s password

View Slide

0x03 - Sessions

View Slide

Home Page Dashboard
What If...
Billing
You had to enter your credentials over and
over again on every page you visited?

View Slide

Website
The Idea
Login
Unique ID
Hey! Browser! Remember this
value! I need you to send it back
to me next time you visit so I
know who you are!
Browser
These are
sessions.

View Slide

Browser Server
Cookies
Cookies
Authentication
Cookies

View Slide

HTTP Requests / Responses
{
"User-Agent": "Mozilla/5.0 ...",
"Content-Type": "text/html"
}

…

Headers
Body

View Slide

Set-Cookie: session=12345
Body
{
"Set-Cookie": "session=12345"
}
Creating Cookies
Set-Cookie: a=b; c=d; e=f

View Slide

Body
{
"User-Agent": "cURL/1.2.3",
"Accept": "*/*",
"Host": "localhost:3000",
"Cookie": "session=12345"
}
Reading Cookies

View Slide

Using Sessions
from flask import session
# ...
app.config['SECRET_KEY'] = 'SUPER_SECRET!'
# ...
def login():
if user['password'] == request.form['password']:
session['id'] = str(user['_id'])

View Slide

Verifying

View Slide

from bson.objectid import ObjectId
# ...
def dashboard():
if 'id' not in session:
return redirect(url_for('login'))
user = mongo.db.users.find_one({'_id': ObjectId(session['id'])})
if user:
Improving the Dashboard
If there’s no session, bail
Find the user by id
Everything OK? Show the
dashboard

View Slide

0x04 - Storing Passwords

View Slide

{
"_id" : ObjectId("59248139c6670c68737612bd"),
"password" : "woot!",
"__v" : 0
}
Current User Data

View Slide

Password Hashing!
Given a hash, you can never retrieve the
original password that created it. Hashes are
one-way.
The same password always generates the
same hash.

View Slide

Hashing
● md5
● sha256
● bcrypt
● scrypt
● argon2
● etc.
● SHITTY
● NOPE!
● SAFE
● AWESOME
● YES!!
● NO

View Slide

bcrypt (pseudo)
>>> password = 'hi'
>>> hash = bcrypt(password)
>>> print(hash)
'$2a$10$uS.pE0aS0NlsgbvLd6EruO5VDKllinIZLF3C84OYzWHFiyKYfZVXy'

View Slide

Improving Registration
$ pip install bcrypt passlib
from passlib.hash import bcrypt
# ...
def register():
user_data = request.form.to_dict()
user_data['password'] = bcrypt.hash(user_data['password'])
user = mongo.db.users.insert_one(user_data)

View Slide

Improving Login
def login():
if user and bcrypt.verify(request.form['password'], user['password']):

View Slide

Our Improved User
{
"_id" : ObjectId("5924ad584f7ddf1eea467408"),
"password" : "$2a$14$czZ5IJCRsi7TvqwW8InVsOOnzBffT3e19unr1ecFq0XQGiTatN0wm",
"__v" : 0
}

View Slide

Homework!
http://plaintextoffenders.com/

View Slide

0x05 - Refactoring

View Slide

from flask import g
from werkzeug.local import LocalProxy
user = LocalProxy(lambda: g.user)
# ...
@app.before_request
def load_user():
if 'id' in session:
g.user = mongo.db.users.find_one({'_id': ObjectId(session['id'])})
del g.user['password']
return
Smart User Loading

View Slide

from functools import wraps
def login_required(func):
@wraps(func)
def decorator(*args, **kwargs):
if not user:
return func(*args, **kwargs)
return decorator
Force Authentication
GTFO
Welcome
buddy!

View Slide

@login_required
def dashboard():
print('hello: {}'.format(user.first_name))
Refactoring

View Slide

0x06 - CSRF

View Slide

Let’s Say...

View Slide

Cross Site Request Forgery
Hey Randall,
Check out this picture of my dog!
src="http://bank.com/withdraw?amount=1000000&
toAccount=BadGuy">

View Slide

CSRF Tokens
Browser
Server
CSRF
Cookie
GET /login
Login Page w/ CT
POST /login w/
CT
NO! >:S

View Slide

CSRF Protection in HTML

...

View Slide

CSRF Protection
$ pip install flask-seasurf
from flask_seasurf import SeaSurf
csrf = SeaSurf(app)

View Slide

0x07 - Security Best Practices

View Slide

User Server
secret
Always Use SSL

View Slide

Use Cookie Flags
from datetime import timedelta
# Don't let Javascript access cookies
app.config['SESSION_COOKIE_HTTPONLY'] = True
# Only set the cookie over SSL
app.config['SESSION_COOKIE_SECURE'] = True
# How long should the session last?
app.config['PERMANENT_SESSION_LIFETIME'] = timedelta(minutes=30)

View Slide

Don’t Roll Your Own
➔ Flask-Login
➔ Flask-Security
➔ Okta

View Slide

Code https://github.com/rdegges
Slides https://speakerdeck.com/rdegges
Resources
@oktadev
@rdegges

View Slide

BONUS!
JWTs suck for web authentication.

View Slide

What are JWTs?
- JSON data
- Cryptographically signed
- Not fancy
- Not encrypted

View Slide

What’s a Cryptographic Signature?
Randall Degges
That’s a
signature!

View Slide

What Do JWTs Actually Do?
Prove that some data
was generated by
someone else.

View Slide

How Do People Use JWTs?

View Slide

NOTE
Never store sensitive information
in LocalStorage / SessionStorage.
NEVER EVER.

View Slide

“… In other words, any authentication your application requires
can be bypassed by a user with local privileges to the machine
on which the data is stored. Therefore, it's recommended not
to store any sensitive information in local storage.”
- OWASP (Open Web Application Security Project)

View Slide

Why Do JWTs Suck?

View Slide

You’re Going to Hit the DB Anyway

View Slide

Don’t Sign Things Twice
Randall Degges
That’s
dumb!
Randall Degges

View Slide

What ARE JWTs Good For?
Website
Reset my password.
Ok! I’ve emailed
you a link that has a
JWT in the URL
which will expire in
30 minutes.
Ok! I clicked
the link.
This JWT looks legit. I
suppose I’ll let you reset
your password.
Ok, your PW has
been reset.

View Slide

In Summary
JWTs are not meant to be used
for persisting state. Making
them do the same thing as
cookies in a less efficient and
secure manner is bad for you.
Don’t use them unless you
know how.

View Slide

Almost Everything You Ever Wanted to Know About Web Authentication in Python

Almost Everything You Ever Wanted to Know About Web Authentication in Python

Randall Degges

More Decks by Randall Degges

Other Decks in Programming

Featured

Transcript