I am creating a package to handle Google OAuth but I am not sure how secure it is. I am not sure if this is the best forum for this question, so please let me know if I am overstepping and I will submit a question on StackOverflow.
I was looking at the new updates to dash-auth
but it did not really fit my needs - i.e., I need a customized solution due to how my app functions. I have set everything up in Google Cloud for the authentication and it is set as internal; however, not every employee will have access to my Dash App. I have an Azure Cosmos DB that stores user permissions. So essentially, I am using Flask
to handle the authentication and when the user logs in, I check the Cosmos DB to make sure the user should have access and, if they do have access, check the resources/pages they should have access to.
I am just not sure how secure my app is. In Azure, I have set up my lists of allow/deny rules to only allow access from certain IPs but I am not sure I am storing each users auth token securely. Currently, I am using flask.session to store the user’s access token (as well as other information - e.g., username, profile picture, etc.)
I made sure to set a secret key
app.server.config['SECRET_KEY'] = os.environ.get('FLASK_SECRET_KEY')
app.server.config['SESSION_COOKIE_SECURE'] = True
app.server.config['PERMANENT_SESSION_LIFETIME'] = datetime.timedelta(minutes=60)
For the actual login callback I am doing
if google_resp.status_code == 200:
user_data = google_resp.json()
# check db to see if they have access
# dd is a custom function I created that uses azure.cosmos.cosmos_client
cosmos = dd.CosmosDB(host=os.environ.get('COSMOS_HOST'),
master_key=os.environ.get('COSMOS_MASTER_KEY'),
db_id='DashboardUserAccess', container_id='users')
resp = cosmos.get_user(email=user_data['email'].lower())
if resp:
r = flask.redirect(flask.session['REDIRECT_URL'])
flask.session['AUTH_USERNAME'] = user_data['name']
flask.session['AUTH_PICTURE'] = user_data['picture']
flask.session['AUTH_EMAIL'] = user_data['email']
flask.session['AUTH_TOKEN'] = token['access_token']
# update db with login time
now = datetime.datetime.utcnow().strftime('%Y-%m-%d %H:%M:%S')
cosmos.upsert_user(email=resp['id'], first=resp['first'],
last=resp['last'], access=resp['access'], login=now)
return r
else:
return flask.Response(status=403)
Do I need to encrypt token['access_token']
when doing flask.session['AUTH_TOKEN'] = token['access_token']
or is setting the following secure enough:
app.server.config['SECRET_KEY'] = os.environ.get('FLASK_SECRET_KEY')
app.server.config['SESSION_COOKIE_SECURE'] = True