Flask-BasicAuth

Warnings

• breaking Basic Authentication sends credentials (username and password) in cleartext over the network, only Base64 encoded, which is easily reversible. It is CRITICAL to use HTTPS/TLS to encrypt the connection between the client and server. Without HTTPS, credentials can be easily intercepted.
  Fix: Always deploy Flask applications using Flask-BasicAuth behind an HTTPS/TLS-enabled server (e.g., Nginx, Apache) in production environments.
• gotcha When deploying Flask-BasicAuth behind a reverse proxy like Nginx or Apache with mod_wsgi, the proxy might strip the `Authorization` header, preventing Flask-BasicAuth from receiving the credentials.
  Fix: Configure your reverse proxy to pass the `Authorization` header to the backend. For Apache/mod_wsgi, add `WSGIPassAuthorization On` to your configuration. For Nginx, ensure `proxy_set_header Authorization $http_authorization;` is set.
• gotcha The `BASIC_AUTH_FORCE = True` configuration, intended to protect the entire application, has been reported to cause continuous re-prompting for credentials in some browsers due to how authorization headers are handled.
  Fix: If experiencing issues with `BASIC_AUTH_FORCE`, consider explicitly decorating each protected view with `@basic_auth.required` or explore alternative Flask authentication extensions like `Flask-HTTPAuth`.
• gotcha Flask-BasicAuth performs a direct string comparison for usernames and passwords (cleartext comparison). It does not include mechanisms for secure password hashing (e.g., bcrypt, scrypt) or storage.
  Fix: For production applications requiring secure user management and password storage, consider using more robust Flask extensions like `Flask-Login` combined with `Flask-Bcrypt`, or `Flask-HTTPAuth` which supports secure password hashing. Flask-BasicAuth is best suited for simple, low-security scenarios or protecting staging environments.
• deprecated This library has not been updated since June 2013, with Python 3 support only officially extending to Python 3.3. It is largely unmaintained, and may not be compatible with newer Flask versions or Python releases, or may lack features and security updates present in more active alternatives.
  Fix: For new projects or applications requiring ongoing maintenance and modern features, consider using actively developed alternatives such as `Flask-HTTPAuth` (for various HTTP auth schemes including Basic with hashed passwords) or `Flask-Login` (for session-based user management).

Install

• pip install Flask-BasicAuth Install with pip

Imports

• BasicAuth

  from flask_basicauth import BasicAuth

Quickstart

This quickstart initializes a Flask application with Flask-BasicAuth. It demonstrates protecting a single route (`/secret`) using the `@basic_auth.required` decorator. Credentials are loaded from environment variables for security, defaulting to 'admin' and 'secret'. The example also notes how to protect the entire application using `BASIC_AUTH_FORCE = True`.

import os
from flask import Flask, render_template_string
from flask_basicauth import BasicAuth

app = Flask(__name__)
app.config['BASIC_AUTH_USERNAME'] = os.environ.get('BASIC_AUTH_USERNAME', 'admin')
app.config['BASIC_AUTH_PASSWORD'] = os.environ.get('BASIC_AUTH_PASSWORD', 'secret')

basic_auth = BasicAuth(app)

@app.route('/')
def index():
    return "Welcome!"

@app.route('/secret')
@basic_auth.required
def secret_view():
    return render_template_string("<h1>Secret Page</h1><p>Accessed with basic auth.</p>")

if __name__ == '__main__':
    # To protect the entire site (e.g., for staging environments):
    # app.config['BASIC_AUTH_FORCE'] = True
    # Ensure BASIC_AUTH_USERNAME and BASIC_AUTH_PASSWORD are set as environment variables
    # or directly in app.config for production.
    app.run(debug=True)