# Authentication Bypass
All sensitive actions on your website should require the user to be *authenticated* (i.e. to have identified who they are) and to be *authorized* (i.e. to have sufficient permissions to perform that action). If web routes fail to check the user identity, attackers will be able to access sensitive resources.
## Authentication Bypass in Python
Protected routes in your Python application should check the user is logged in, even if the path to access those resources is presumed unguessable. Attackers will poll common paths and scrape log files in an attempt to find unsecured routes, so the onus is on you to validate the user’s authentication status at the point of access.
A common way to do this in Python is to use function decorators, which can evaluate access permissions before a function is invoked. Here’s how to use the `@login_required` decorator in the Django web-framework:
“`python from django.contrib import messages from django.contrib.auth import authenticate, login from django.contrib.auth.decorators import login_required from django.shortcuts import redirect, renderdef do_login(request): “””Check a user’s credentials and log them in if correct.””” username = request.POST[‘username’] password = request.POST[‘password’] user = authenticate(request, username=username, password=password) if user is not None: @login_required(login_url=’/login’) |
## Authentication in APIs
When you write a web-application designed for programmatic access rather than human users, authentication is typically done using an access token rather than cookies. A common design pattern is to expect the API key to be passed in each request in the `Authorization` header. This keeps you application stateless and makes it easier to scale.
Here’s one way to extract and check the API key using HTTP Basic authentication in the Flask web-server;
“`python from flask import Flask from flask_httpauth import HTTPBasicAuthapp = Flask(__name__) auth = HTTPBasicAuth() @app.route(‘/users’) @app.route(‘/users/<user_id>’) @auth.verify_password |
## Temporary Access Tokens
When you issue temporary access tokens to users that allow them to bypass authentication – for example, in the case of password reset emails – ensure those tokens are strong random numbers, and time them out after a short period. Also, ensure these tokens can only be used once. If an attacker compromises a user’s email account, they will often scan their inbox for password reset links in an attempt to take ownership of further accounts on vulnerable platforms.
## Further Considerations
Authentication bypass vulnerabilities tend to occur when mistakes are made during the design phase. To avoid this, make sure you:
* Design your access control upfront and document it.
* Write unit tests to validate that unauthenticated users cannot access sensitive resources.
* Think like an attacker: focus on the biggest risks your organization faces and prioritize securing those.
* Record user activity in logs, so you have audit trails of who did what and when.
## CWEs
* [CWE-288](https://cwe.mitre.org/data/definitions/288.html)