Flask-Login provides user session management for Flask. It handles the common tasks of logging in, logging out, and remembering your users' sessions over extended periods of time.
Flask-Login is not bound to any particular database system or permissions model. The only requirement is that your user objects implement a few methods, and that you provide a callback to the extension capable of loading users from their ID.
Read the documentation at https://flask-login.readthedocs.io.
Let's walk through setting up a basic application. Note that this is a very basic guide: we will be taking shortcuts here that you should never take in a real application.
To begin we'll set up a Flask app and a LoginManager
from Flask-Login.
import flask
import flask_login
app = flask.Flask(__name__)
app.secret_key = "super secret string" # Change this!
login_manager = flask_login.LoginManager()
login_manager.init_app(app)
To keep things simple we're going to use a basic User
class and a dictionary to
represent a database of users. In a real application, this would be an actual
persistence layer. However, it's important to point out this is a feature of
Flask-Login: it doesn't care how your data is stored so long as you tell it how to
retrieve it!
class User(flask_login.UserMixin):
def __init__(self, email, password):
self.id = email
self.password = password
users = {"leafstorm": User("leafstorm", "secret")}
We also need to tell the login manager how to load a user from a request by defining its
user_loader
callback. If no user is found it returns None
.
@login_manager.user_loader
def user_loader(id):
return users.get(id)
Now we're ready to define our views. The login view will populate the session with authentication info. The protected view will only be avialble to authenticated users; visiting it otherwise will show an error. The logout view clearing the session.
@app.get("/login")
def login():
return """<form method=post>
Email: <input name="email"><br>
Password: <input name="password" type=password><br>
<button>Log In</button>
</form>"""
@app.post("/login")
def login():
user = users.get(flask.request.form["email"])
if user is None or user.password != flask.request.form["password"]:
return flask.redirect(flask.url_for("login"))
flask_login.login_user(user)
return flask.redirect(flask.url_for("protected"))
@app.route("/protected")
@flask_login.login_required
def protected():
return flask.render_template_string(
"Logged in as: {{ user.id }}",
user=flask_login.current_user
)
@app.route("/logout")
def logout():
flask_login.logout_user()
return "Logged out"