Only allow access view from specific view

33 Views Asked by Thong Nguyen At 13 June 2023 at 04:37

I have registered two views:

config.add_route("home", "/home")
config.add_route("home/data", "home/data")

/home view has some Javascript code in the frontend that will fetch data from home/data

What is proper way to allow the access home/data if users access website via: mysite.com/home?

I tried to check request.referer but, it seems easy to modify/hack.

Original Q&A

There are 1 best solutions below

J_H On 13 June 2023 at 05:33

Let H(m) be a function that hashes a message, perhaps SHA3.

Create a secret S which only your webserver knows.

The /home page will have a link to home/data. Change that link each time you display the page. The HREF should include a pair of query parameters:

time is current timestamp, e.g. seconds since 1970 epoch
nonce is H(S + time)

The home/data page should report a permission error if

the pair of parameters is missing, or
the time is not a fresh timestamp, or
the nonce doesn't validate.

So we have one page producing links to a data page, and those links are the only way to retrieve the data contents.

Only allow access view from specific view

There are 1 best solutions below

Related Questions in PYTHON

Related Questions in PYRAMID

Trending Questions

Popular # Hahtags

Popular Questions