Flask on H&W https://yy-tech.online/tags/flask/ Recent content in Flask on H&W Hugo en Thu, 28 May 2026 00:53:02 +0800 [GLP] Flask With MySQL (2) https://yy-tech.online/post/flask-with-mysql-2/ Fri, 06 Aug 2021 23:36:30 +0800 https://yy-tech.online/post/flask-with-mysql-2/ <blockquote> <p>A Flask starter scaffold — I had mostly written small Python scripts before, and this project was a chance to build a proper backend skeleton.</p> </blockquote> <h2 id="1-jwt-token-flow">1. JWT token flow</h2> <ul> <li>Use <strong>short-lived access tokens</strong> for better security.</li> </ul> <h3 id="workflow">Workflow</h3> <ol> <li>Request <strong>access token + refresh token</strong> (refresh token in a secure cookie: <code>HttpOnly</code>, <code>Secure</code>, <code>SameSite</code>).</li> <li>Send requests with <strong>payload + access token</strong>; keep the access token in memory (cleared on logout).</li> <li>When the access token expires, use the refresh cookie to obtain a new access token.</li> <li>Access tokens often live ~1 minute to limit window for MITM abuse.</li> <li>Add a <strong>one-way hash</strong> over parameters for integrity, ideally including request time.</li> <li>Encrypt sensitive header fields with <strong>HMAC</strong>; the backend uses HMAC when refreshing tokens.</li> <li>JWTs can be stored in <strong>Redis</strong> for revocation / allowlists; we aimed for a <strong>stateless</strong> API for other systems to call, so we did not persist sessions server-side.</li> </ol> <h3 id="implementation-notes">Implementation notes</h3> <ul> <li><code>Set-Cookie</code> is set <strong>on the server</strong>, not in client JS.</li> <li>Cookies must use <code>HttpOnly</code>, <code>Secure</code>, and <code>SameSite</code> or later requests may not send cookies correctly.</li> </ul> <h3 id="security-trade-offs">Security trade-offs</h3> <p>This design improves security for the refresh cookie, but browser extensions can still read cookies in some cases. Going stateless is a deliberate compromise.</p> [GLP] Flask With MySQL (1) https://yy-tech.online/post/flask-with-mysql-1/ Tue, 03 Aug 2021 20:36:30 +0800 https://yy-tech.online/post/flask-with-mysql-1/ <blockquote> <p>A Flask starter scaffold — I had mostly written small Python scripts before, and this project was a chance to build a proper backend skeleton.</p> </blockquote> <h2 id="1-features-we-need">1. Features we need</h2> <ul> <li><code>flask</code></li> <li><code>blueprint</code></li> <li>CORS</li> <li>JSON responses</li> <li>easy debugging</li> <li>health check endpoint</li> <li>logging</li> <li>multiple environments</li> <li><code>flake8</code> for static analysis</li> <li><code>yapf</code> for formatting</li> <li>JWT tokens</li> <li>password hashing</li> <li>MySQL</li> <li>Sphinx docs</li> <li>Postman collections</li> <li>tests</li> <li>XSS mitigation (ORM + escaping)</li> <li>parameter integrity — SHA-1 (mitigate MITM tampering)</li> <li>timestamp validation (replay / DoS-style attacks)</li> </ul>