CodeToLive

Flask User Authentication

Implementing user authentication is crucial for most web applications. Flask provides tools and extensions to handle this securely.

Flask-Login

from flask_login import LoginManager, UserMixin, login_user, login_required, logout_user

login_manager = LoginManager(app)
login_manager.login_view = 'login'

class User(UserMixin, db.Model):
    # ... existing model ...
    def get_id(self):
        return str(self.id)

@login_manager.user_loader
def load_user(user_id):
    return User.query.get(int(user_id))
            

Login/Logout Routes

@app.route('/login', methods=['GET', 'POST'])
def login():
    if current_user.is_authenticated:
        return redirect(url_for('home'))
    form = LoginForm()
    if form.validate_on_submit():
        user = User.query.filter_by(email=form.email.data).first()
        if user and check_password_hash(user.password, form.password.data):
            login_user(user, remember=form.remember.data)
            return redirect(url_for('home'))
        flash('Login Unsuccessful. Please check email and password', 'danger')
    return render_template('login.html', form=form)

@app.route('/logout')
@login_required
def logout():
    logout_user()
    return redirect(url_for('home'))
            

Password Hashing

from werkzeug.security import generate_password_hash, check_password_hash

hashed_password = generate_password_hash('plain_password')
check_password_hash(hashed_password, 'plain_password')  # Returns True/False
            

Protected Routes

from flask_login import login_required

@app.route('/account')
@login_required
def account():
    return render_template('account.html')
            

User Registration

@app.route('/register', methods=['GET', 'POST'])
def register():
    if current_user.is_authenticated:
        return redirect(url_for('home'))
    form = RegistrationForm()
    if form.validate_on_submit():
        hashed_password = generate_password_hash(form.password.data)
        user = User(username=form.username.data, email=form.email.data, password=hashed_password)
        db.session.add(user)
        db.session.commit()
        flash('Your account has been created! You can now log in', 'success')
        return redirect(url_for('login'))
    return render_template('register.html', form=form)
            

Password Reset

from itsdangerous import URLSafeTimedSerializer

s = URLSafeTimedSerializer(app.config['SECRET_KEY'])

def get_reset_token(user, expires_sec=1800):
    return s.dumps({'user_id': user.id}, salt='password-reset')

def verify_reset_token(token):
    try:
        user_id = s.loads(token, salt='password-reset', max_age=expires_sec)['user_id']
    except:
        return None
    return User.query.get(user_id)
            

Security Best Practices

• Always hash passwords (never store plain text)
• Use HTTPS for all authentication-related routes
• Implement CSRF protection
• Set secure session cookies
• Rate limit login attempts