We use cookies to enhance your experience on the site
CodeWorlds

Flask-Login - user authentication

Welcome again, @name! Darwin here with the last lesson before deployment - user authentication with Flask-Login! 🔐👤

Safari Analogy: Authentication is like passes for tourists - only people with valid tickets can enter the park, observe animals, and use exclusive trails! Without authentication anyone could enter and edit your database! 🎫🦁

Why authentication?

Problem: Without authentication anyone can:

  • Add/delete species
  • Edit data
  • Access sensitive information
  • No personalization

Solution: Login/registration system with Flask-Login!

Flask-Login - session management

Flask-Login is an extension for managing user sessions:

✅ Login/logout users ✅ Remember sessions (cookies) ✅ Route protection (`@login_required`) ✅ Access to `current_user` ✅ "Remember me" functionality

Installation

1pip install Flask-Login

User Model

Flask-Login requires a `User` class with specific methods. The easiest way is to use UserMixin:

1# models.py
2from flask_login import UserMixin
3from werkzeug.security import generate_password_hash, check_password_hash
4
5class User(UserMixin):
6    def __init__(self, id, username, email, password_hash):
7        self.id = id
8        self.username = username
9        self.email = email
10        self.password_hash = password_hash
11
12    def set_password(self, password):
13        """Hash the password"""
14        self.password_hash = generate_password_hash(password)
15
16    def check_password(self, password):
17        """Verify the password"""
18        return check_password_hash(self.password_hash, password)
19
20    def __repr__(self):
21        return f'<User {self.username}>'

`UserMixin` provides:

  • `is_authenticated` - is logged in
  • `is_active` - is active
  • `is_anonymous` - is anonymous
  • `get_id()` - returns ID as string

Flask-Login configuration

1# app.py
2from flask import Flask
3from flask_login import LoginManager
4
5app = Flask(__name__)
6app.config['SECRET_KEY'] = 'your-secret-key-123'
7
8# Initialize LoginManager
9login_manager = LoginManager()
10login_manager.init_app(app)
11login_manager.login_view = 'login'  # Redirect for unauthenticated users
12login_manager.login_message = 'Please log in to access this page.'
13
14# User database (in production: SQLite/PostgreSQL)
15users_db = {}
16next_user_id = 1
17
18# User loader - required by Flask-Login
19@login_manager.user_loader
20def load_user(user_id):
21    """Load user by ID"""
22    return users_db.get(int(user_id))

`@login_manager.user_loader` - Flask-Login calls this function to load a user from the session.

User registration

forms.py - registration form

1from flask_wtf import FlaskForm
2from wtforms import StringField, PasswordField, SubmitField
3from wtforms.validators import DataRequired, Email, EqualTo, Length
4
5class RegistrationForm(FlaskForm):
6    username = StringField('Username',
7                          validators=[DataRequired(), Length(min=4, max=20)])
8
9    email = StringField('Email',
10                       validators=[DataRequired(), Email()])
11
12    password = PasswordField('Password',
13                            validators=[DataRequired(), Length(min=8)])
14
15    confirm_password = PasswordField('Confirm password',
16                                    validators=[DataRequired(),
17                                               EqualTo('password', message='Passwords must match')])
18
19    submit = SubmitField('Register')

app.py - registration route

1from flask import render_template, redirect, url_for, flash
2from flask_login import login_user
3from models import User
4from forms import RegistrationForm
5
6@app.route('/register', methods=['GET', 'POST'])
7def register():
8    form = RegistrationForm()
9
10    if form.validate_on_submit():
11        global next_user_id
12
13        # Check if username/email already exists
14        for user in users_db.values():
15            if user.username == form.username.data:
16                flash('Username already taken!', 'error')
17                return render_template('register.html', form=form)
18
19            if user.email == form.email.data:
20                flash('Email already registered!', 'error')
21                return render_template('register.html', form=form)
22
23        # Create new user
24        user = User(
25            id=next_user_id,
26            username=form.username.data,
27            email=form.email.data,
28            password_hash=None
29        )
30        user.set_password(form.password.data)  # Hash password
31
32        users_db[next_user_id] = user
33        next_user_id += 1
34
35        flash(f'Account {user.username} created! You can now log in.', 'success')
36        return redirect(url_for('login'))
37
38    return render_template('register.html', form=form)

User login

forms.py - login form

1class LoginForm(FlaskForm):
2    username = StringField('Username', validators=[DataRequired()])
3    password = PasswordField('Password', validators=[DataRequired()])
4    remember = BooleanField('Remember me')
5    submit = SubmitField('Log in')

app.py - login route

1from flask_login import login_user, current_user, logout_user
2
3@app.route('/login', methods=['GET', 'POST'])
4def login():
5    # If already logged in, redirect
6    if current_user.is_authenticated:
7        return redirect(url_for('home'))
8
9    form = LoginForm()
10
11    if form.validate_on_submit():
12        # Find user
13        user = None
14        for u in users_db.values():
15            if u.username == form.username.data:
16                user = u
17                break
18
19        # Check password
20        if user and user.check_password(form.password.data):
21            login_user(user, remember=form.remember.data)
22            flash(f'Welcome back, {user.username}!', 'success')
23
24            # Redirect to next_page or home
25            next_page = request.args.get('next')
26            return redirect(next_page) if next_page else redirect(url_for('home'))
27        else:
28            flash('Invalid username or password!', 'error')
29
30    return render_template('login.html', form=form)

`login_user(user, remember=True)` - log in the user and create a session.

Logout

1@app.route('/logout')
2def logout():
3    logout_user()
4    flash('You have been logged out.', 'info')
5    return redirect(url_for('home'))

`logout_user()` - log out the user and destroy the session.

@login_required - protecting routes

The `@login_required` decorator protects routes from unauthenticated users:

1from flask_login import login_required, current_user
2
3@app.route('/species/add', methods=['GET', 'POST'])
4@login_required  # Only logged in users
5def add_species():
6    form = AddSpeciesForm()
7
8    if form.validate_on_submit():
9        # ... add species ...
10        flash(f'Species added by {current_user.username}!', 'success')
11        return redirect(url_for('list_species'))
12
13    return render_template('add_species.html', form=form)
14
15@app.route('/profile')
16@login_required
17def profile():
18    return render_template('profile.html', user=current_user)

If an unauthenticated user visits `/species/add`:

  1. They'll be redirected to `/login`
  2. After logging in they'll return to `/species/add`

current_user - current user

`current_user` is a proxy to the logged-in user:

1from flask_login import current_user
2
3@app.route('/')
4def home():
5    if current_user.is_authenticated:
6        return render_template('home.html',
7                             username=current_user.username,
8                             species_count=len(species_db))
9    else:
10        return render_template('home.html',
11                             username=None,
12                             species_count=len(species_db))

In templates

1{% if current_user.is_authenticated %}
2    <p>Logged in as: <strong>{{ current_user.username }}</strong></p>
3    <a href="{{ url_for('logout') }}">Log out</a>
4{% else %}
5    <a href="{{ url_for('login') }}">Log in</a> |
6    <a href="{{ url_for('register') }}">Register</a>
7{% endif %}

Password hashing - security

NEVER store passwords in plain text! Use hashing:

1from werkzeug.security import generate_password_hash, check_password_hash
2
3# Registration - hash password
4password_hash = generate_password_hash('SecretPassword123')
5# Output: 'pbkdf2:sha256:260000$...'
6
7# Login - verify password
8is_correct = check_password_hash(password_hash, 'SecretPassword123')
9# Output: True

`generate_password_hash()` uses PBKDF2 with salt and multiple iterations - secure!

Complete application with authentication

models.py

1from flask_login import UserMixin
2from werkzeug.security import generate_password_hash, check_password_hash
3
4class User(UserMixin):
5    def __init__(self, id, username, email, password_hash):
6        self.id = id
7        self.username = username
8        self.email = email
9        self.password_hash = password_hash
10
11    def set_password(self, password):
12        self.password_hash = generate_password_hash(password)
13
14    def check_password(self, password):
15        return check_password_hash(self.password_hash, password)

forms.py

1from flask_wtf import FlaskForm
2from wtforms import StringField, PasswordField, BooleanField, SubmitField
3from wtforms.validators import DataRequired, Email, EqualTo, Length
4
5class RegistrationForm(FlaskForm):
6    username = StringField('Username', validators=[DataRequired(), Length(min=4, max=20)])
7    email = StringField('Email', validators=[DataRequired(), Email()])
8    password = PasswordField('Password', validators=[DataRequired(), Length(min=8)])
9    confirm_password = PasswordField('Confirm password',
10                                    validators=[DataRequired(), EqualTo('password')])
11    submit = SubmitField('Register')
12
13class LoginForm(FlaskForm):
14    username = StringField('Username', validators=[DataRequired()])
15    password = PasswordField('Password', validators=[DataRequired()])
16    remember = BooleanField('Remember me')
17    submit = SubmitField('Log in')

app.py

1from flask import Flask, render_template, redirect, url_for, flash, request
2from flask_login import LoginManager, login_user, logout_user, login_required, current_user
3from models import User
4from forms import RegistrationForm, LoginForm, AddSpeciesForm
5
6app = Flask(__name__)
7app.config['SECRET_KEY'] = 'your-secret-key-123'
8
9# Flask-Login
10login_manager = LoginManager()
11login_manager.init_app(app)
12login_manager.login_view = 'login'
13
14# Databases (in-memory)
15users_db = {}
16next_user_id = 1
17
18species_db = {}
19next_species_id = 1
20
21@login_manager.user_loader
22def load_user(user_id):
23    return users_db.get(int(user_id))
24
25@app.route('/')
26def home():
27    return render_template('home.html',
28                         species_count=len(species_db))
29
30@app.route('/register', methods=['GET', 'POST'])
31def register():
32    if current_user.is_authenticated:
33        return redirect(url_for('home'))
34
35    form = RegistrationForm()
36
37    if form.validate_on_submit():
38        global next_user_id
39
40        # Check duplicates
41        for user in users_db.values():
42            if user.username == form.username.data:
43                flash('Username already taken!', 'error')
44                return render_template('register.html', form=form)
45
46        # Create user
47        user = User(next_user_id, form.username.data, form.email.data, None)
48        user.set_password(form.password.data)
49        users_db[next_user_id] = user
50        next_user_id += 1
51
52        flash(f'Account created! Please log in.', 'success')
53        return redirect(url_for('login'))
54
55    return render_template('register.html', form=form)
56
57@app.route('/login', methods=['GET', 'POST'])
58def login():
59    if current_user.is_authenticated:
60        return redirect(url_for('home'))
61
62    form = LoginForm()
63
64    if form.validate_on_submit():
65        user = None
66        for u in users_db.values():
67            if u.username == form.username.data:
68                user = u
69                break
70
71        if user and user.check_password(form.password.data):
72            login_user(user, remember=form.remember.data)
73            flash(f'Welcome, {user.username}!', 'success')
74
75            next_page = request.args.get('next')
76            return redirect(next_page) if next_page else redirect(url_for('home'))
77        else:
78            flash('Invalid username or password!', 'error')
79
80    return render_template('login.html', form=form)
81
82@app.route('/logout')
83@login_required
84def logout():
85    logout_user()
86    flash('Logged out.', 'info')
87    return redirect(url_for('home'))
88
89@app.route('/species/add', methods=['GET', 'POST'])
90@login_required
91def add_species():
92    form = AddSpeciesForm()
93
94    if form.validate_on_submit():
95        global next_species_id
96
97        new_species = {
98            'id': next_species_id,
99            'name': form.name.data,
100            'added_by': current_user.username
101        }
102
103        species_db[next_species_id] = new_species
104        next_species_id += 1
105
106        flash(f'Species added by {current_user.username}!', 'success')
107        return redirect(url_for('list_species'))
108
109    return render_template('add_species.html', form=form)
110
111if __name__ == '__main__':
112    app.run(debug=True)

templates/base.html - navigation with auth

1<nav>
2    <a href="{{ url_for('home') }}">Home</a>
3    <a href="{{ url_for('list_species') }}">Species</a>
4
5    {% if current_user.is_authenticated %}
6        <a href="{{ url_for('add_species') }}">Add species</a>
7        <a href="{{ url_for('profile') }}">Profile ({{ current_user.username }})</a>
8        <a href="{{ url_for('logout') }}">Log out</a>
9    {% else %}
10        <a href="{{ url_for('login') }}">Log in</a>
11        <a href="{{ url_for('register') }}">Register</a>
12    {% endif %}
13</nav>

Summary

In this lesson you learned:

  • ✅ Why authentication in web applications
  • ✅ Flask-Login - session management
  • ✅ User model with UserMixin
  • ✅ User registration
  • ✅ Login/logout
  • ✅ `@login_required` - route protection
  • ✅ `current_user` - access to logged-in user
  • ✅ Password hashing (werkzeug.security)
  • ✅ Complete Safari Database application with auth

Final Safari Analogy: Flask-Login is like a safari pass system - only tourists with valid tickets (`current_user.is_authenticated`) can enter the protected trail zone (`@login_required`), and each tourist has their unique identifier (user.id) and password (hashed)! 🎫🔐🦁

Next lesson: Darwin will show you deployment - publishing your Flask application on the internet (Gunicorn, Render, Railway)! 🚀🌐

Go to CodeWorlds