I have simple python flask app with flask-login implemented. I have two functions to load template called first.html and second.html both of them are protected by a #login_required decorator. Below is the code I have written
#!/usr/bin/python
from app import app
from flask import render_template,request,redirect,abort
from flask_login import login_required,url_for,login_user,logout_user,LoginManager
from app.models.models import Users
import md5
from itsdangerous import URLSafeTimedSerializer
loginManager = LoginManager()
loginManager.init_app(app)
loginManager.login_view = 'signin'
loginManager.login_message = 'Please log in'
#loginManager.user_loader
def load_user(name):
user = Users.query.get(name)
return user
#loginManager.token_loader
def load_token(token):
print 'In Token Loader'
serializer = URLSafeTimedSerializer(app.secret_key)
data = serializer.loads(token)
username = data[0]
user = Users.query.get(name)
print user
return user
#app.route('/logout')
def logout():
print 'executing logout'
logout_user()
return render_template('login.html')
#app.route('/login',methods=['GET','POST'])
def signin():
if request.method == 'GET':
return render_template('login.html')
if request.method == 'POST':
username = request.form.get('username')
password = request.form.get('password')
salted_password = password + app.secret_key
hashedpassword = md5.new(salted_password).hexdigest()
user = Users.query.filter(Users.username == username).first()
if user == None:
return render_template('login.html')
storedPass = user.password
if storedPass == hashedpassword:
login_user(user, remember=True)
nex = request.args.get('next')
return redirect(nex or url_for('first'))
return render_template('login.html')
#app.route('/first')
#login_required
def first():
return render_template('first.html')
#app.route('/second')
#login_required
def second():
return render_template('second.html')
Now I access http://locahost:5000/login and login view is loaded. I entered the valid user and password which is authenticated successfully and gets a redirect to url_for('first')
Since first function is decorated with #login_required I am getting the login page again. As per my understanding from documentation, #token_loader called will be called and it handles the token and loads the first.html but this is not happening and login view is loaded again.
If i remove the #login_required decorator from first function, the the first.html is loaded.
I am missing something in invoking the token validation in my code and I am not sure what it is.
My User data model class looks like below
#!/usr/bin/python
from app import db,app
from itsdangerous import URLSafeTimedSerializer
class Users(db.Document):
uid = db.StringField()
username = db.StringField()
password = db.StringField()
def is_authenticated(self):
return True
def is_active(self):
return True
def is_anonymous(self):
return False
def get_id(self):
return unicode(self.uid)
def get_auth_token(self):
serializer = URLSafeTimedSerializer(app.secret_key)
return serializer.dumps([self.username,self.password])
Thanks
I changed the user_loader callback to
#loginManager.user_loader
def load_user(userid)
user = Users.query.filter(Users.uid == userid).first()
return user
and this solves the issue I am facing and it is generation a cookie called 'REMEMBER_ME' in my browser. But still I am finding a way to called the token_loader callback and when it would be called.
Related
i am programming by flask and i have a problem with flask_login
login and authentication will complete when i enter username and password and i can get my user data in login page but after redirecting to other pages the user become anonymous! it seems that flask_login or UserMixin module does not work correctly. Please help me to solve this problem in my code
app = Flask(__name__)
app.secret_key = os.urandom(12)
login_manager = LoginManager()
login_manager.init_app(app)
login_manager.login_view = 'login'
#app.before_request
def before_request():
g.db = Models.DATABASE
g.db.connect()
g.user=current_user
#login_manager.user_loader
def load_user(useremail):
try:
return Models.User.select().where(
Models.User.email == str(useremail)
).get()
except Models.DoesNotExist:
return None
#app.after_request
def after_request(response):
g.db.close()
return response
#app.route('/login', methods=('GET','POST'))
def login():
form=forms.Signinform()
if form.validate_on_submit():
try:
user = Models.User.get(
Models.User.email == form.email.data
)
if (user.password==hashmypassword(form.password.data)):
login_user(user)
flash("You're now logged in!")
print(user.join_date)
return redirect(url_for('home'))
else:
flash("No user with that email/password combo")
print(hashmypassword(form.password.data))
print(form.password.data)
return redirect(url_for('register'))
except Models.DoesNotExist:
flash("No user with that email/password combo")
except:
print(user.password)
flash ("incorrect")
return render_template('login.html',form=form)
#app.route('/')
#app.route('/home')
def home():
if current_user.is_authenticated:
print(current_user.email)
else:
print("No AAA")
"""Renders the home page."""
return render_template(
'index.html',
title='Home Page',
year=datetime.datetime.now().year,
)
i am authenticated in login page but not authenticated in home page!
Use the tag #login_required in your other functions in routes like this,
#app.route('/login', methods=('GET','POST'))
#login_required
def login():
form=forms.Signinform()
if form.validate_on_submit():
try:
user = Models.User.get(
Models.User.email == form.email.data
)
if (user.password==hashmypassword(form.password.data)):
login_user(user)
flash("You're now logged in!")
print(user.join_date)
return redirect(url_for('home'))
else:
flash("No user with that email/password combo")
print(hashmypassword(form.password.data))
print(form.password.data)
return redirect(url_for('register'))
except Models.DoesNotExist:
flash("No user with that email/password combo")
except:
print(user.password)
flash ("incorrect")
return render_template('login.html',form=form)
What do you mean by storing authentication?
By your question, if you want to identify logged in users, using flask-session is a good option. You can find the documentation here: https://flask-session.readthedocs.io/en/latest/
When a user logs in, you may create session variables as:
session['id'] = user_id
session['username'] = username
session['loggedin'] = true
Then you may specifically include in your routes what do you want for logged in users:
if 'loggedin' in session:
do this
else:
do that
You may also access these session variables in any route.
my problem solved using these functions in my Model class
def is_active(self):
"""True, as all users are active."""
return True
def get_id(self):
"""Return the email address to satisfy Flask-Login's requirements."""
return self.email
def is_authenticated(self):
"""Return True if the user is authenticated."""
return self.authenticated
def is_anonymous(self):
"""False, as anonymous users aren't supported."""
return False
i thought that def is_authenticated(self) is enough but all of these functions was necessary
I need to implement a simple login functionality to one of the applications that I a working on using flask-login. The authentication checking is hardcoded if condition and it is validating whether username password equals to a string given. The code is like the following:
#auth_bp.route('/login', methods=["POST"])
def loginHandler():
username = request.form.get('username')
password = request.form.get('password')
if username != 'admin' and password != 'Admin#123':
flash('Please check your login details and try again.')
return redirect(url_for('auth_bp.show_login'))
login_user(username, False)
# if the above check passes, then we know the user has the right credentials
return redirect(url_for('migration_bp.list'))
and in app.py file, I have the following code:
from flask import Flask
from flask_login import LoginManager, login_manager
from auth.auth import auth_bp
from environments.environments import environments_bp
from migration.migration import migration_bp
from logs.logs import logs_bp
UPLOAD_FOLDER = 'static/uploads'
#login_manager.user_loader
def user_loader():
# since the user_id is just the primary key of our user table, use it in the query for the user
return 1
def create_app():
app = Flask(__name__)
login_manager_copy = LoginManager()
login_manager_copy.login_view = 'auth.login'
login_manager_copy.init_app(app)
app.register_blueprint(auth_bp, url_prefix='/auth')
app.register_blueprint(environments_bp, url_prefix='/environments')
app.register_blueprint(migration_bp, url_prefix='/migration')
app.register_blueprint(logs_bp, url_prefix='/logs')
app.config['UPLOAD_FOLDER'] = UPLOAD_FOLDER
app.secret_key = b'_5#y2L"F4Q8z\n\xec]/'
return app
if __name__ == '__main__':
create_app().run(debug=True)
But this is showing an error as follows:
AttributeError: module 'flask_login.login_manager' has no attribute 'user_loader'
As I don't need database, I think the User modal given in the examples are not needed. But it is giving errors without it. How can I fix this ?
EDIT:
As per the suggestion below, I have added a User class as shown below:
from flask_login import UserMixin, LoginManager, login_manager
class User(UserMixin):
def is_authenticated(self):
return True
def is_active(self):
return True
def is_anonymous(self):
return False
def get_id(self):
return int(self.id)
def __repr__(self):
return f"User('{self.username}', '{self.email}', '{self.powerlevel}')"
and added following code to app.py file:
#login_manager.user_loader
def load_user(user_id):
# since the user_id is just the primary key of our user table, use it in the query for the user
return User.query.get(int(user_id))
But it is still showing the same error.
app.py you will have this:
from flask_login import UserMixin, login_user, LoginManager, login_required, current_user, logout_user
app = Flask(__name__)
login_manager = LoginManager()
login_manager.init_app(app) #defined above app=Flask(__name__)
login_manager.login_view = 'login' #logged out users will be redirected to this route if attempting to view a route that requires login
#login_manager.user_loader
def load_user(id):
# This sets the callback for reloading a user from the session.
# The function you set should take a user ID and return a user object, or None if the user does not exist.
# id is str or int if the keys in data.USERS are str or int
# "123123" or 123123 (see next section)
try:
return data.USERS.get(str(id))
except:
return None
#app.route("/", methods=["GET","POST"])
def login():
if request.method == "POST":
if request.form["login"]:
id = request.form["id"]
password = request.form["password"]
response = data.confirmUserLogin(id, password)
if response["status"] == True:
# login the user
# Login user, You should pass the actual user object to this.
# If the user’s is_active property is False, they will not be logged in unless force is True
login_user(data.USERS[id])
flash(response["message"])
return redirect(url_for('index'))
else:
flash(response["message"])
return redirect(url_for('login'))
elif request.method == "GET":
return render_template("login.html")
data.py:
#you can use: class User(Usermixin)
"""
UserMixin pre-defines these attributes for your User class:
def is_authenticated():
...
def is_active():
...
def is_anonymous():
...
def get_id():
...
"""
# or you can just define these attributes yourself
class User():
def __init__(self, id, username, active=True):
self.id = id
self.username = username
self.active = active
def is_active(self):
# Here you should write whatever the code is
# that checks the database if your user is active
# return self.active
# for demo i just return True
return True
def is_authenticated(self):
# for demo i just return True
return True
def get_id(self):
# if you do not use Usermixin, this is important
# user_loader load_user(id) uses this get_id attribute to load the id
return self.id
# create local database of sample users
# Key are user id's : Value are User objects
USERS = {
"123123": User("123123", "user1"),
"456456": User("456456", "user2"),
"789789": User("789789", "user3", False),
}
def confirmUserLogin(id, password):
# check local db USERS for the id
if USERS.get(sso):
# get the user object (key's value)
user = USERS.get(id)
# check password
if user.password == password:
# entered password matches database password
response = {"status":True, "message":"Login Successfull!"}
return response
else:
# entered password DOES NOT match database password
response = {"status":False, "message":"Wrong password, please try again."}
return response
else:
# user does not exist
response = {"status":False, "message":"User does not exist, please try again."}
return response
I am quite sure that Flask-Login will not work without a class representing the data storage, because at some point it needs to access the database to know if a user has logged in already and other auth requirements.
Clearly as it does not impose a storage restriction, I think you can cheat the system without a database.
First create the User class as specified in the docs, https://flask-login.readthedocs.io/en/latest/
Define a class as so - all these methods are necessary.
class User:
def is_authenticated():
...
def is_active():
...
def is_anonymous():
...
def get_id():
...
Create a global variable that is of this user type and log users in and do whatever else. You do not necessarily need a database in which this class represents information in.
Let me know if you understood in the comments. Happy to help :)
I'm using flask-login to make sure users are logged in before they can access certain pages. I'm using #login_required on the view I want to protect, but even though I'm setting login_user(user) where I'm wanting to set the user, it does not let me go into my protected route (index). I'm printing out the value of my user_login(user) and it returns True. What am I doing wrong?
#app.route('/')
#app.route('/index')
#login_required
def index():
print("was in here", file=sys.stderr)
return render_template('index.html')
This is the route where I set the user_login(user)
#app.route('/authenticate')
def authenticate():
code = request.args.get('code')
state = request.args.get('state')
quiz_auth_response = quizlet_auth(code, state)
g.token = quiz_auth_response['token']
response = json.loads(make_request(quiz_auth_response['user_name']))
try:
user = models.User.get(models.User.username == response['username'])
login_user(user)
except models.DoesNotExist:
print("does not exist", file=sys.stderr)
user = models.User.create_user(response['username'], response['id'])
return redirect('/index')
else:
login_user(user)
print("log in user " + str(login_user(user)), file=sys.stderr)
login_user(user)
return redirect('/index')
Here is my user_loader
#login_manager.user_loader
def load_user(userid):
try:
return models.User.get(models.User.id == userid)
except models.DoesNotExist:
return None
Here is my User model
sqlite_db = SqliteDatabase('sqlite.db')
class BaseModel(Model):
class Meta:
database = sqlite_db
class User(UserMixin, BaseModel):
username = CharField(unique=True)
quizlet_id = CharField(unique=True)
joined_at = DateTimeField(default=datetime.datetime.now)
#classmethod
def create_user(cls, username, quiz_id, **kwards):
try:
cls.select().where(
(cls.username == username) | (cls.quizlet_id == quiz_id)
).get()
except cls.DoesNotExist:
print("putting user in thing", file=sys.stderr)
user = cls(username = username, quizlet_id = quiz_id)
print(user.username)
user.save()
return user
else:
raise Exception("User with that email exists already")
#staticmethod
def set_password(password):
return generate_password_hash(password.encode('utf-8'))
My problem was that the #flask_login.login_required decorator was above the #app.route('<path>') decorator, so I just replaced them and it worked
From this:
#flask_login.login_required
#app.route('/')
def index():
return render_template("index.html")
to this:
#app.route('/')
#flask_login.login_required
def index():
return render_template("index.html")
Just spent the last 2 hours trying to fix this and realized that it was because off the configuration that the login_required was not working
On my local development environment, I had set
app.config['TESTING'] = True
From the flask-login documentation
If the application configuration variable LOGIN_DISABLED or TESTING is
set to True, the login_required decorator will be ignored
set it back to this and got it working
app.config['TESTING'] = False
Just check if the user is logged in. There might be a cookie that the user is logged in.
I tested if it was all working by just setting the user as logged in that added a
cookie.
I just added this and got it working
#app.before_first_request
def init_app():
logout_user()
and it worked perfectly fine
Is the username field a primary key? Assuming that you are using sql alchemy, the get() method aways look for the primary key and does not accept expressions, see http://docs.sqlalchemy.org/en/rel_1_0/orm/query.html#sqlalchemy.orm.query.Query.get
Try again with user = models.User.filter_by(username=response['username'])...
If you are using flask-login, you need to make sure that you have a function that can be used by the library to load a user based on the ID.
Something of this type:
#login_manager.user_loader
def load_user(user_id):
return models.User.get(models.User.id == user_id)
Please read this section of the docs for how to do it.
I'm new to Python and Flask.
I'm following this tutorial http://douglasstarnes.com/index.php/2015/05/27/easy-authentication-with-flask-login/ to have registration and login pages and have slightly modified it to hash the passwords on registration and to verify the password against the hash on login.
Initial password registration hashing works, but verifying the hashed password stored in the database against the one given in plain text via a login form does not.
The error I am receiving is against the following line on /login page and for the following reason:
if user.count() == 1 and check_password_hash(user.password, password) == True:
AttributeError: 'BaseQuery' object has no attribute 'password'
I cannot work out why I'm receiving this error. The user gets successfully queried from the database, and the user has it's hashed password within the password column.
The query I'm using and method of returning data from the password column are similar to that included in the documentation http://flask-sqlalchemy.pocoo.org/2.1/queries/#querying-records
This is my views.py (/login and the erroring line are towards the bottom)
from flask import Flask, render_template, request, abort, redirect, url_for, flash
from flask.ext.login import LoginManager, UserMixin, login_user, logout_user, login_required
from flask.ext.sqlalchemy import SQLAlchemy
from werkzeug.security import generate_password_hash, check_password_hash
from app import app
import os
login_manager = LoginManager(app)
login_manager.init_app(app)
login_manager.login_view = 'login'
login_manager.session_protection = "strong"
db = SQLAlchemy(app)
class User(db.Model, UserMixin):
id = db.Column(db.Integer, primary_key=True)
username = db.Column(db.String)
password = db.Column(db.String)
#login_manager.user_loader
def user_loader(user_id):
user = User.query.filter_by(id=user_id)
if user.count() == 1:
return user.one()
return None
#app.before_first_request
def init_request():
db.create_all()
#app.route('/secret')
#login_required
def secret():
return render_template('secret.html')
#app.route('/logout')
def logout():
logout_user()
return redirect(url_for('index'))
#app.route('/register', methods=['GET', 'POST'])
def register():
if request.method == 'GET':
return render_template('register.html')
elif request.method == 'POST':
username = request.form['txtUsername']
password = request.form['txtPassword']
user = User.query.filter_by(username=username)
if user.count() == 0:
hashed_password = generate_password_hash(password)
user = User(username=username, password=hashed_password)
db.session.add(user)
db.session.commit()
flash('You have registered the username {0}. Please login'.format(username))
return redirect(url_for('login'))
else:
flash('The username {0} is already in use. Please try a new username.'.format(username))
return redirect(url_for('register'))
else:
abort(405)
#app.route('/login', methods=['GET', 'POST'])
def login():
if request.method == 'GET':
return render_template('login.html', next=request.args.get('next'))
elif request.method == 'POST':
username = request.form['txtUsername']
password = request.form['txtPassword']
user = User.query.filter_by(username=username)
if user.count() == 1 and check_password_hash(user.password, password) == True:
login_user(user.one(), remember=True)
flash('Welcome back {0}'.format(username))
try:
next = request.form['next']
return redirect(next)
except:
return redirect(url_for('index'))
else:
flash('Invalid login')
return redirect(url_for('login'))
else:
return abort(405)
#app.route('/')
def index():
return render_template('index.html')
Does anyone know why I cannot access the password column for the user, or in fact any column? I've tried all 3 within the database, ID, username and password.
#login_manager.user_loader
def user_loader(user_id):
user = User.query.filter_by(id=user_id).first()
if user:
return user
return None
Applying the .first() executes the query, instead of storing the Query object
it will return only the first result.
.all() returns all
edit:
or you could use user = User.query.get(user_id) assuming user_id is defined as PK
In your Login Function it should be
user = User.query.filter_by(username=username).first()
if user and check_password_hash(user.password, password) == True:
login_user(user)
Now user references a real User object, as opposed to a stored query. you cannot access a User Object attribute (password) from a Query Object
Don't miss .first() or .all() after the SQLQLCHAMY ORM query.
This is cause of such error always.
In short:
By only using the Flask micro-framework (and its dependencies) can we perform an internal redirect from one route to another?
For example:
User submits the registration form (both username and password) to #app.route('/register', methods=['POST'])
If the registration is successful, Flask internally does an HTTP POST to #app.route('/login', methods['POST']) passing the username and password
Process and log in the user
Details:
I am building a REST API using Flask and the Flask-JWT extension. More specifically I'm implementing the login and registration.
Login works perfectly and returns a JSON object with a token.
Following is my (login) authentication handler (i.e. /auth (POST request) - Default Flask-JWT authentication URL rule):
#jwt.authentication_handler
def authenticate(username, password):
user = User.query.filter_by(username=username).first()
if user and user.verify_password(password):
return user
return None
A successful login returns:
{
"token": "<jwt-token>"
}
Following is my registration route:
#app.route('/register', methods=['PUT'])
def register():
username = request.form.get('username')
password = request.form.get('password')
if username is None or password is None:
abort(400) # missing parameters
user = User.query.filter_by(username=username).first()
if user:
abort(400) # user exists
else:
user = User(user=user)
user.hash_password(password)
db.session.add(user)
db.session.commit()
# How do we generate a token?
# Perform an internal redirect to the login route?
return jsonify({'token': <jwt-token>}), 201
You should use the Post-Redirect-Get pattern.
from flask import Flask, redirect, request, render_template
app = Flask("the_flask_module")
#app.route('/', methods=["GET", "POST"])
def post_redirect_get():
if request.method == "GET":
return render_template("post_redirect_get.html")
else:
# Use said data.
return redirect("target", code=303)
#app.route("/target")
def target():
return "I'm the redirected function"
app.run(host="0.0.0.0", port=5001)
And if you want to pass data to the target function (like that token) you can use the session object to store it
So that would break down something like
#app.route('/register', methods=['PUT'])
def register():
username = request.form.get('username')
password = request.form.get('password')
if username is None or password is None:
abort(400) # missing parameters
user = User.query.filter_by(username=username).first()
if user:
abort(400) # user exists
else:
user = User(user=user)
user.hash_password(password)
db.session.add(user)
db.session.commit()
# How do we generate a token?
redirect("login_success", code=307)
#app.route("login_success", methods=["GET", "POST"])
#jwt_required()
def login_success():
return "Redirected Success!"
Edit:
I haven't used Flask-JWT before and didn't know about the post requirement. But you can tell Flask to redirect with the current method used (rather than a get request) by passing the redirect function code=307.. Hopefully that solves your extended problem.