{"id":2507,"library":"flask-httpauth","title":"HTTP Authentication for Flask","description":"Flask-HTTPAuth is a Flask extension that simplifies the use of HTTP authentication with Flask routes. It currently supports Basic, Digest, and Token authentication schemes. The library is actively maintained with regular releases, typically every few months, ensuring compatibility with the latest Flask versions and addressing security concerns.","status":"active","version":"4.8.1","language":"en","source_language":"en","source_url":"https://github.com/miguelgrinberg/flask-httpauth","tags":["flask","auth","authentication","http","security"],"install":[{"cmd":"pip install Flask-HTTPAuth","lang":"bash","label":"Install latest version"}],"dependencies":[{"reason":"Core dependency for the Flask framework.","package":"Flask","optional":false},{"reason":"Used for security utilities like password hashing; it's a core Flask dependency.","package":"Werkzeug","optional":false}],"imports":[{"note":"The `flask.ext` import style was deprecated in Flask 0.9 and removed in Flask 1.0. Use `flask_httpauth` directly.","wrong":"from flask.ext.httpauth import HTTPBasicAuth","symbol":"HTTPBasicAuth","correct":"from flask_httpauth import HTTPBasicAuth"},{"symbol":"HTTPDigestAuth","correct":"from flask_httpauth import HTTPDigestAuth"},{"symbol":"HTTPTokenAuth","correct":"from flask_httpauth import HTTPTokenAuth"}],"quickstart":{"code":"import os\nfrom flask import Flask, jsonify\nfrom flask_httpauth import HTTPBasicAuth\nfrom werkzeug.security import generate_password_hash, check_password_hash\n\napp = Flask(__name__)\nauth = HTTPBasicAuth()\n\n# In a real application, fetch from a database or secure configuration\nusers = {\n    \"john\": generate_password_hash(os.environ.get('JOHN_PASSWORD', 'hello')),\n    \"susan\": generate_password_hash(os.environ.get('SUSAN_PASSWORD', 'bye'))\n}\n\n@auth.verify_password\ndef verify_password(username, password):\n    if username in users and \\\n            check_password_hash(users.get(username), password):\n        return username\n    return None\n\n@app.route('/')\n@auth.login_required\ndef index():\n    return f\"Hello, {auth.current_user()}! You are authenticated.\"\n\n@app.route('/public')\ndef public_route():\n    return \"This is a public route.\"\n\nif __name__ == '__main__':\n    # Example of setting environment variables for quick testing:\n    # export JOHN_PASSWORD=secret_john\n    # export SUSAN_PASSWORD=secret_susan\n    app.run(debug=True)","lang":"python","description":"This quickstart demonstrates basic HTTP authentication using `HTTPBasicAuth` and `verify_password` for secure password handling. It uses environment variables for mock user passwords for demonstration purposes, which should be replaced by a secure user management system in production."},"warnings":[{"fix":"Upgrade your application to Python 3. If a Python 3 upgrade is not feasible, pin `Flask-HTTPAuth<4.0.0`.","message":"Version 4.0.0 dropped support for Python 2.x. Applications running on Python 2 must either remain on `flask-httpauth<4.0.0` or upgrade to Python 3.","severity":"breaking","affected_versions":">=4.0.0"},{"fix":"Replace all calls to `auth.username()` with `auth.current_user()`.","message":"In version 4.0.0, the `auth.username()` method was renamed to `auth.current_user()` to align with more generic authentication contexts (e.g., token-based authentication where the 'username' might not be directly applicable).","severity":"breaking","affected_versions":">=4.0.0"},{"fix":"Implement password hashing using `werkzeug.security` or similar libraries. Ensure `@auth.verify_password` performs a hash comparison, not a plain-text comparison.","message":"For secure password handling, it is highly recommended to use the `@auth.verify_password` decorator with hashed passwords (e.g., `werkzeug.security.generate_password_hash`, `check_password_hash`). Relying on `@auth.get_password` with plain-text passwords is insecure and should be avoided.","severity":"gotcha","affected_versions":"All"},{"fix":"Set `app.config['SECRET_KEY'] = 'your-secret-key'` and consider configuring Flask to use server-side sessions for production deployments involving `HTTPDigestAuth`.","message":"When using `HTTPDigestAuth`, Flask's `SECRET_KEY` configuration must be set, and for robust security, server-side sessions should be used instead of the default client-side (cookie-based) sessions to prevent exposure of challenge data.","severity":"gotcha","affected_versions":"All"},{"fix":"If a custom login message is desired, explicitly set `auth.login_message = 'Your custom message'` during initialization or via a decorator parameter.","message":"The default value of `auth.login_message` changed from a generic 'Login Required' string to `None` in version 4.0.0. If your application relied on the default message being displayed, it will no longer appear unless explicitly set.","severity":"breaking","affected_versions":">=4.0.0"}],"env_vars":null,"last_verified":"2026-04-10T00:00:00.000Z","next_check":"2026-07-09T00:00:00.000Z"}