Insecure flask app

main.py

import base64
import os
from functools import wraps

from flask import Flask, request, session

app = Flask(__name__)
app.secret_key = base64.b64encode(os.urandom(32))

books = {
    "1": {
        "name": "Book #1",
        "owner": "user_a"
    },
    "2": {
        "name": "Book #2",
        "owner": "user_b"
    },
    "3": {
        "name": "Book #3",
        "owner": "user_a"
    },
    "4": {
        "name": "Book #4",
        "owner": "user_b"
    },
}

users = {
    "user_a": "some_password",
    "user_b": "different_password"
}


def require_auth(f):
    @wraps(f)
    def decorated(*args, **kwargs):
        user = session.get('user', None)
        if not user:
            return {'message': 'unauthorized'}, 401
        return f(*args, **kwargs)

    return decorated


@app.route("/book/", methods=['GET'])
@require_auth
def get_books():
    user = session['user']
    return {'books': [b for _, b in books.items() if b['owner'] == user]}


@app.route("/book/<book_id>", methods=['GET'])
@require_auth
def get_book(book_id):
    book = books[book_id]
    if not book:
        return {'message': 'book not found'}, 404
    else:
        return book


@app.route("/login", methods=['POST'])
def login():
    body = request.json
    try:
        if body['password'] == users.get(body['username'], None):
            session['user'] = body['username']
            return {'user': session['user']}
    except:
        pass
    return {'message': 'unauthorized'}, 401


if __name__ == '__main__':
    app.run(debug=True, port=8080)