Forums

Flask remote_addr

Hi, I am relatively new to this. Any kind of help is appreciated.

I have two pythonanywhere(PA) accounts say PA1 and PA2. PA1 account has an app that is embedded into the app within PA2 using iframes. The PA1 app should be only available for people who have logged into it. However, the logged in users can check the developer tools and find out the iframe url. So currently if anyone has access to the url for PA1 app, it becomes public and the login path becomes useless. So I tried adding a route like this.

from flask import abort, request 
@app.before_request def limit_remote_addr():
    if request.remote_addr != '10.20.30.40':
        abort(403)  # Forbidden

But, pythonanywhere always displays the remote_addr to be same and I am not able to get it to work.

I also tried request.headers['X-Real-IP'].

Please help.

request.headers['X-Real-IP'] should work fine -- what do you see in that?

That said, using the IP address for this kind of thing might not be the best way to so it, as the IP address can be shared between different users -- for example, if an organisation uses a NAT system to provide Internet access to its users, they will all have the same IP. We often see that, for example, with universities -- every person using our site from such a university will have the same IP. In your case, if you were using the IP address to identify logged-in users, if one person logged in from such a university, everyone would have access.

From the other side, it's also possible for IP addresses to change -- for example, with a mobile connection, someone might get a new IP address if they dropped out of coverage and then came back in, and certainly would if they switched from a wifi network to cellular.

Of course, if you can be sure that all of the people who log in to your site will all be using their own unique IP address, and those IP addresses never change, then you should be OK.

But otherwise, I think it would be best to have a separate login flow on the embedded page -- that's the only safe way to do it with different sites on different domains (including different subdomains of pythonanywhere.com.

Hi, I just wanted to know if there is a way to programmatically add the login credentials for a protected python anywhere website using python?

Do you mean the password which can be enabled on the Web page? If so, no -- you can't set it programmaticaly.