Welcome again, @name! Darwin here with the last lesson before deployment - user authentication with Flask-Login! 🔐👤
Safari Analogy: Authentication is like passes for tourists - only people with valid tickets can enter the park, observe animals, and use exclusive trails! Without authentication anyone could enter and edit your database! 🎫🦁
Problem: Without authentication anyone can:
Solution: Login/registration system with Flask-Login!
Flask-Login is an extension for managing user sessions:
✅ Login/logout users ✅ Remember sessions (cookies) ✅ Route protection (`@login_required`) ✅ Access to `current_user` ✅ "Remember me" functionality
1pip install Flask-LoginFlask-Login requires a `User` class with specific methods. The easiest way is to use UserMixin:
1# models.py
2from flask_login import UserMixin
3from werkzeug.security import generate_password_hash, check_password_hash
4
5class User(UserMixin):
6 def __init__(self, id, username, email, password_hash):
7 self.id = id
8 self.username = username
9 self.email = email
10 self.password_hash = password_hash
11
12 def set_password(self, password):
13 """Hash the password"""
14 self.password_hash = generate_password_hash(password)
15
16 def check_password(self, password):
17 """Verify the password"""
18 return check_password_hash(self.password_hash, password)
19
20 def __repr__(self):
21 return f'<User {self.username}>'`UserMixin` provides:
1# app.py
2from flask import Flask
3from flask_login import LoginManager
4
5app = Flask(__name__)
6app.config['SECRET_KEY'] = 'your-secret-key-123'
7
8# Initialize LoginManager
9login_manager = LoginManager()
10login_manager.init_app(app)
11login_manager.login_view = 'login' # Redirect for unauthenticated users
12login_manager.login_message = 'Please log in to access this page.'
13
14# User database (in production: SQLite/PostgreSQL)
15users_db = {}
16next_user_id = 1
17
18# User loader - required by Flask-Login
19@login_manager.user_loader
20def load_user(user_id):
21 """Load user by ID"""
22 return users_db.get(int(user_id))`@login_manager.user_loader` - Flask-Login calls this function to load a user from the session.
1from flask_wtf import FlaskForm
2from wtforms import StringField, PasswordField, SubmitField
3from wtforms.validators import DataRequired, Email, EqualTo, Length
4
5class RegistrationForm(FlaskForm):
6 username = StringField('Username',
7 validators=[DataRequired(), Length(min=4, max=20)])
8
9 email = StringField('Email',
10 validators=[DataRequired(), Email()])
11
12 password = PasswordField('Password',
13 validators=[DataRequired(), Length(min=8)])
14
15 confirm_password = PasswordField('Confirm password',
16 validators=[DataRequired(),
17 EqualTo('password', message='Passwords must match')])
18
19 submit = SubmitField('Register')1from flask import render_template, redirect, url_for, flash
2from flask_login import login_user
3from models import User
4from forms import RegistrationForm
5
6@app.route('/register', methods=['GET', 'POST'])
7def register():
8 form = RegistrationForm()
9
10 if form.validate_on_submit():
11 global next_user_id
12
13 # Check if username/email already exists
14 for user in users_db.values():
15 if user.username == form.username.data:
16 flash('Username already taken!', 'error')
17 return render_template('register.html', form=form)
18
19 if user.email == form.email.data:
20 flash('Email already registered!', 'error')
21 return render_template('register.html', form=form)
22
23 # Create new user
24 user = User(
25 id=next_user_id,
26 username=form.username.data,
27 email=form.email.data,
28 password_hash=None
29 )
30 user.set_password(form.password.data) # Hash password
31
32 users_db[next_user_id] = user
33 next_user_id += 1
34
35 flash(f'Account {user.username} created! You can now log in.', 'success')
36 return redirect(url_for('login'))
37
38 return render_template('register.html', form=form)1class LoginForm(FlaskForm):
2 username = StringField('Username', validators=[DataRequired()])
3 password = PasswordField('Password', validators=[DataRequired()])
4 remember = BooleanField('Remember me')
5 submit = SubmitField('Log in')1from flask_login import login_user, current_user, logout_user
2
3@app.route('/login', methods=['GET', 'POST'])
4def login():
5 # If already logged in, redirect
6 if current_user.is_authenticated:
7 return redirect(url_for('home'))
8
9 form = LoginForm()
10
11 if form.validate_on_submit():
12 # Find user
13 user = None
14 for u in users_db.values():
15 if u.username == form.username.data:
16 user = u
17 break
18
19 # Check password
20 if user and user.check_password(form.password.data):
21 login_user(user, remember=form.remember.data)
22 flash(f'Welcome back, {user.username}!', 'success')
23
24 # Redirect to next_page or home
25 next_page = request.args.get('next')
26 return redirect(next_page) if next_page else redirect(url_for('home'))
27 else:
28 flash('Invalid username or password!', 'error')
29
30 return render_template('login.html', form=form)`login_user(user, remember=True)` - log in the user and create a session.
1@app.route('/logout')
2def logout():
3 logout_user()
4 flash('You have been logged out.', 'info')
5 return redirect(url_for('home'))`logout_user()` - log out the user and destroy the session.
The `@login_required` decorator protects routes from unauthenticated users:
1from flask_login import login_required, current_user
2
3@app.route('/species/add', methods=['GET', 'POST'])
4@login_required # Only logged in users
5def add_species():
6 form = AddSpeciesForm()
7
8 if form.validate_on_submit():
9 # ... add species ...
10 flash(f'Species added by {current_user.username}!', 'success')
11 return redirect(url_for('list_species'))
12
13 return render_template('add_species.html', form=form)
14
15@app.route('/profile')
16@login_required
17def profile():
18 return render_template('profile.html', user=current_user)If an unauthenticated user visits `/species/add`:
`current_user` is a proxy to the logged-in user:
1from flask_login import current_user
2
3@app.route('/')
4def home():
5 if current_user.is_authenticated:
6 return render_template('home.html',
7 username=current_user.username,
8 species_count=len(species_db))
9 else:
10 return render_template('home.html',
11 username=None,
12 species_count=len(species_db))1{% if current_user.is_authenticated %}
2 <p>Logged in as: <strong>{{ current_user.username }}</strong></p>
3 <a href="{{ url_for('logout') }}">Log out</a>
4{% else %}
5 <a href="{{ url_for('login') }}">Log in</a> |
6 <a href="{{ url_for('register') }}">Register</a>
7{% endif %}NEVER store passwords in plain text! Use hashing:
1from werkzeug.security import generate_password_hash, check_password_hash
2
3# Registration - hash password
4password_hash = generate_password_hash('SecretPassword123')
5# Output: 'pbkdf2:sha256:260000$...'
6
7# Login - verify password
8is_correct = check_password_hash(password_hash, 'SecretPassword123')
9# Output: True`generate_password_hash()` uses PBKDF2 with salt and multiple iterations - secure!
1from flask_login import UserMixin
2from werkzeug.security import generate_password_hash, check_password_hash
3
4class User(UserMixin):
5 def __init__(self, id, username, email, password_hash):
6 self.id = id
7 self.username = username
8 self.email = email
9 self.password_hash = password_hash
10
11 def set_password(self, password):
12 self.password_hash = generate_password_hash(password)
13
14 def check_password(self, password):
15 return check_password_hash(self.password_hash, password)1from flask_wtf import FlaskForm
2from wtforms import StringField, PasswordField, BooleanField, SubmitField
3from wtforms.validators import DataRequired, Email, EqualTo, Length
4
5class RegistrationForm(FlaskForm):
6 username = StringField('Username', validators=[DataRequired(), Length(min=4, max=20)])
7 email = StringField('Email', validators=[DataRequired(), Email()])
8 password = PasswordField('Password', validators=[DataRequired(), Length(min=8)])
9 confirm_password = PasswordField('Confirm password',
10 validators=[DataRequired(), EqualTo('password')])
11 submit = SubmitField('Register')
12
13class LoginForm(FlaskForm):
14 username = StringField('Username', validators=[DataRequired()])
15 password = PasswordField('Password', validators=[DataRequired()])
16 remember = BooleanField('Remember me')
17 submit = SubmitField('Log in')1from flask import Flask, render_template, redirect, url_for, flash, request
2from flask_login import LoginManager, login_user, logout_user, login_required, current_user
3from models import User
4from forms import RegistrationForm, LoginForm, AddSpeciesForm
5
6app = Flask(__name__)
7app.config['SECRET_KEY'] = 'your-secret-key-123'
8
9# Flask-Login
10login_manager = LoginManager()
11login_manager.init_app(app)
12login_manager.login_view = 'login'
13
14# Databases (in-memory)
15users_db = {}
16next_user_id = 1
17
18species_db = {}
19next_species_id = 1
20
21@login_manager.user_loader
22def load_user(user_id):
23 return users_db.get(int(user_id))
24
25@app.route('/')
26def home():
27 return render_template('home.html',
28 species_count=len(species_db))
29
30@app.route('/register', methods=['GET', 'POST'])
31def register():
32 if current_user.is_authenticated:
33 return redirect(url_for('home'))
34
35 form = RegistrationForm()
36
37 if form.validate_on_submit():
38 global next_user_id
39
40 # Check duplicates
41 for user in users_db.values():
42 if user.username == form.username.data:
43 flash('Username already taken!', 'error')
44 return render_template('register.html', form=form)
45
46 # Create user
47 user = User(next_user_id, form.username.data, form.email.data, None)
48 user.set_password(form.password.data)
49 users_db[next_user_id] = user
50 next_user_id += 1
51
52 flash(f'Account created! Please log in.', 'success')
53 return redirect(url_for('login'))
54
55 return render_template('register.html', form=form)
56
57@app.route('/login', methods=['GET', 'POST'])
58def login():
59 if current_user.is_authenticated:
60 return redirect(url_for('home'))
61
62 form = LoginForm()
63
64 if form.validate_on_submit():
65 user = None
66 for u in users_db.values():
67 if u.username == form.username.data:
68 user = u
69 break
70
71 if user and user.check_password(form.password.data):
72 login_user(user, remember=form.remember.data)
73 flash(f'Welcome, {user.username}!', 'success')
74
75 next_page = request.args.get('next')
76 return redirect(next_page) if next_page else redirect(url_for('home'))
77 else:
78 flash('Invalid username or password!', 'error')
79
80 return render_template('login.html', form=form)
81
82@app.route('/logout')
83@login_required
84def logout():
85 logout_user()
86 flash('Logged out.', 'info')
87 return redirect(url_for('home'))
88
89@app.route('/species/add', methods=['GET', 'POST'])
90@login_required
91def add_species():
92 form = AddSpeciesForm()
93
94 if form.validate_on_submit():
95 global next_species_id
96
97 new_species = {
98 'id': next_species_id,
99 'name': form.name.data,
100 'added_by': current_user.username
101 }
102
103 species_db[next_species_id] = new_species
104 next_species_id += 1
105
106 flash(f'Species added by {current_user.username}!', 'success')
107 return redirect(url_for('list_species'))
108
109 return render_template('add_species.html', form=form)
110
111if __name__ == '__main__':
112 app.run(debug=True)1<nav>
2 <a href="{{ url_for('home') }}">Home</a>
3 <a href="{{ url_for('list_species') }}">Species</a>
4
5 {% if current_user.is_authenticated %}
6 <a href="{{ url_for('add_species') }}">Add species</a>
7 <a href="{{ url_for('profile') }}">Profile ({{ current_user.username }})</a>
8 <a href="{{ url_for('logout') }}">Log out</a>
9 {% else %}
10 <a href="{{ url_for('login') }}">Log in</a>
11 <a href="{{ url_for('register') }}">Register</a>
12 {% endif %}
13</nav>In this lesson you learned:
Final Safari Analogy: Flask-Login is like a safari pass system - only tourists with valid tickets (`current_user.is_authenticated`) can enter the protected trail zone (`@login_required`), and each tourist has their unique identifier (user.id) and password (hashed)! 🎫🔐🦁
Next lesson: Darwin will show you deployment - publishing your Flask application on the internet (Gunicorn, Render, Railway)! 🚀🌐