Recent

Author Topic: Login to Python web app from Lazarus FPC desktop client  (Read 4505 times)

jeffp

  • New Member
  • *
  • Posts: 15
Login to Python web app from Lazarus FPC desktop client
« on: July 16, 2021, 01:29:26 am »
I have successfully deployed my Python web app in Pythonanywhere, complete with login authentication using flask-user.

I want to programmatically login to this Python web app from a Lazarus FPC desktop client so I can interact with the API. Of course I have knowledge of valid username/password combos. I see no obvious way to do it, and from security standpoint not straightforward as it seems. What is the proper way to do this?

Blade

  • Full Member
  • ***
  • Posts: 135
Re: Login to Python web app from Lazarus FPC desktop client
« Reply #1 on: July 16, 2021, 03:13:17 am »
Since Pythonanywhere is payware, why wouldn't you ask their support to help you?  Wouldn't they have examples, that you would then use (or show others) as a reference?

Gustavo 'Gus' Carreno

  • Hero Member
  • *****
  • Posts: 725
  • Professional amateur ;-P
Re: Login to Python web app from Lazarus FPC desktop client
« Reply #2 on: July 16, 2021, 04:11:24 am »
Hi JeffP,

Could you tell us a bit more about said API?

Like:
  • What type of login is needed to access the API? Basic, OAuth, Custom?
  • What type of API? JSON, XML, Other?

After you answer some of those questions, we can recommend some more in depth examples.

But mainly you would work with fphttpclient.

Cheers,
Gus
Lazarus 2.3.0(trunk) FPC 3.3.1(trunk) Ubuntu 21.04 64b Dark Theme
Lazarus 2.0.12(stable) FPC 3.2.2(stable) Ubuntu 21.04 64b Dark Theme
http://github.com/gcarreno

jeffp

  • New Member
  • *
  • Posts: 15
Re: Login to Python web app from Lazarus FPC desktop client
« Reply #3 on: July 16, 2021, 06:30:17 am »
@Gus,

  • What type of login is needed to access the API? Basic, OAuth, Custom?

Login is not OAuth, but I am not sure if the flask package flask-user is Basic or Custom. I'm guessing it's custom as there is a token transmitted together with the credentials on the login page.

  • What type of API? JSON, XML, Other?

JSON

Thanks.

Gustavo 'Gus' Carreno

  • Hero Member
  • *****
  • Posts: 725
  • Professional amateur ;-P
Re: Login to Python web app from Lazarus FPC desktop client
« Reply #4 on: July 16, 2021, 08:04:15 pm »
Hey JeffP,

Login is not OAuth, but I am not sure if the flask package flask-user is Basic or Custom. I'm guessing it's custom as there is a token transmitted together with the credentials on the login page.

Well, I think you should get a better understanding of what is needed to mimic the browser behaviour when you login.
Either look at the source HTML of the login form to assess what data is being POSTed
OR use something like Fiddler or WireShark to look at the web traffic generated in the login process.

JSON

Well, then, once you get the login sorted and have some way of identifying your state of loginness (That could be a word...), maybe via a cookie or an extra header or a token, then you just use fphttpclient to get the needed JSON results.

I would gladly give you more in-depth information but even with the answers that you gave, it's still rather vague how you'd go about it, sorry...

Cheers,
Gus
Lazarus 2.3.0(trunk) FPC 3.3.1(trunk) Ubuntu 21.04 64b Dark Theme
Lazarus 2.0.12(stable) FPC 3.2.2(stable) Ubuntu 21.04 64b Dark Theme
http://github.com/gcarreno

zamronypj

  • Full Member
  • ***
  • Posts: 130
    • Fano Framework, Free Pascal web application framework
Re: Login to Python web app from Lazarus FPC desktop client
« Reply #5 on: July 16, 2021, 09:46:36 pm »
@jeffp From your Internet browser, open developer tools (F12 for Chrome /Firefox). Try to login to web application. From Network tab of developer tools, find request that browser send when try to login ( usually with POST method).

 If you select that particular request, you can inspect its detail . You need to get information on any request headers and parameters sent. You also need to find out what response web application send back. if it is successful operation, web app usually send something to identify and track next request (cookie or token).

You need to store it and send this cooke or token along with other parameters for next request.
Fano Framework, Free Pascal web application framework https://fanoframework.github.io
Apache module executes Pascal program like scripting language https://zamronypj.github.io/mod_pascal/
Github https://github.com/zamronypj

jeffp

  • New Member
  • *
  • Posts: 15
Re: Login to Python web app from Lazarus FPC desktop client
« Reply #6 on: July 17, 2021, 03:13:40 am »
@Gus, I'm not well-versed with authentication protocols. What I gleaned from the developer/Network tab of the browser (as suggested by zamronypj), upon login the Request sent contains the username and password in plain text, plus a CSRF token of random characters (generated by the login form).

And then there is a request cookie and a response cookie. Sorry, just an excited noob here.  :)

I think after solving out the  login issue, I can get the rest sorted out with fphttpclient.
« Last Edit: July 17, 2021, 03:16:16 am by jeffp »

Gustavo 'Gus' Carreno

  • Hero Member
  • *****
  • Posts: 725
  • Professional amateur ;-P
Re: Login to Python web app from Lazarus FPC desktop client
« Reply #7 on: July 17, 2021, 06:15:08 am »
Hey JeffP,

@Gus, I'm not well-versed with authentication protocols. What I gleaned from the developer/Network tab of the browser (as suggested by zamronypj), upon login the Request sent contains the username and password in plain text, plus a CSRF token of random characters (generated by the login form).

DRATS!!! I always forget to mention the developer tools on the browser. Thanks @zamronypj for suggesting that. Quite easier than messing with Fiddler and/or WireShark :)

So, from what you're telling me here, nothing more than a regular POST to a login endpoint. Kewl!!

And then there is a request cookie and a response cookie. Sorry, just an excited noob here.  :)

You'll have to jot all that down in order to mimic the exact same behaviour. fphttpclient will allow you to mimic that with a bit of effort.

So from my point of view, here's a crude action list of how to do it:
  • Perform a GET to the login endpoint in order to get the HTML of the form
  • Save any cookie that this GET returns
  • Perform a REGEX search for the CSRF token
  • Perform a POST to the login endpoint with the 3 elements(login, Password, CSRF Token) and any cookie that point 2 has
  • Save any cookie that this POST returns and add it to the list that started on point 2
  • Perform GET or POST actions to the API endpoints with the cookies provided

Like I said, this is very crude and will give you a set of steps to look at and then try to implement.

NOW.... May I suggest something else?
This is not how any OR most APIs validate a user.
Usually it involves a secret token like a Client API Key so you don't have to mess with REGEX and stuff...
I would advise dropping this way of doing things and maybe try to get your server to have the Client Key approach?

Just my 2cents :)

I think after solving out the  login issue, I can get the rest sorted out with fphttpclient.

I concur with you on this.

Cheers,
Gus
Lazarus 2.3.0(trunk) FPC 3.3.1(trunk) Ubuntu 21.04 64b Dark Theme
Lazarus 2.0.12(stable) FPC 3.2.2(stable) Ubuntu 21.04 64b Dark Theme
http://github.com/gcarreno

 

TinyPortal © 2005-2018