Author: Miguel Grinberg


Handling Authentication Secrets in the Browser

I gave a talk titled Handling Authentication Secrets in the Browser at Fluent 2017 in San Jose (you can see the slides above). As a complement to the talk, I thought it would be a good idea to write down the main concepts here on the blog as well, for those that weren't at my talk or those that were, but want to study the topic with more time than the 40 minutes I had for my presentation.


Migrating from Flask-Script to the New Flask CLI

Flask CLI

In release 0.11, Flask introduced new command-line functionality based on Click, which includes the flask command. Before then, Flask did not provide any support for building command-line interfaces (CLIs), but Flask-Script provided similar functionality as a third party extension.

It's been more than a year since the Flask CLI has been released, and I still see a lot of projects out there based on Flask-Script. My guess is that there aren't really any important reasons that motivate people to migrate, since Flask-Script worked well, or at least well enough. But the reality is that Flask-Script hasn't had an official release since 2014 and appears to be unmaintained. In this article I want to show you how I migrated the Flasky application from my Flask book from Flask-Script to Click (one of the changes that are coming in the second edition of the book!), so that you can learn what the differences are, and decide if it is time to migrate your applications.



Running Your Flask Application Over HTTPS

Posted by Miguel Grinberg under Python, Flask, Security.

While you work on your Flask application, you normally run the development web server, which provides a basic, yet functional WSGI complaint HTTP server. But eventually you will want to deploy your application for production use, and at that time, one of the many things you will need to decide is if you should require clients to use encrypted connections for added security.

People ask me all the time about this, in particular how to expose a Flask server on HTTPS. In this article I'm going to present several options for adding encryption to a Flask application, going from an extremely simple one that you can implement in just five seconds, to a robust solution that should give you an A+ rating like my site gets from this exhaustive SSL analysis service.




Visual Studio Code for Python Developers

In this short article I'm going to give you an overview of Visual Studio Code, a free and open source IDE for Windows, Mac OS X and Linux, from Microsoft. This IDE is highly configurable and extensible with plugins, including a very good one for Python.

Click on this and any of the following screenshots to see a larger image.



Unit Testing AsyncIO Code

I'm currently in the process of adding asyncio support to my Socket.IO server. Being experienced in the eventlet and gevent way of doing async, this has been a very interesting project, and a great learning experience. At some point I reached a head scratching moment, when I tried to write some unit tests to exercise the new code I was writing, but found that the Python unittest and mock libraries do not offer any facilities specifically tailored to testing asyncio.

One of the aspects I'm most proud of regarding my Socket.IO server is how complete the unit test suite is, in spite of being a highly networked project that runs under multiple asynchronous and networking frameworks. Given the high complexity of this project, I considered it a requirement to properly test all this new asyncio code, so I spent some time thinking about ways to implement asyncio testing. In this article I want to share the solutions I came up with, which helped me reach 100% coverage of my asyncio code.



How to Retry with Class

Highly distributed applications that consist of lots of small services talking among themselves are getting more and more popular, and that, in my opinion, is a good thing. But this architectural style brings with it a new class of problems that are less common in monolithic applications. Consider what happens when a service needs to send a request to another service, and this second service happens to be temporarily offline, or too busy to respond. If one little service goes offline at the wrong time, that can create a domino effect that can, potentially, take your entire application down.

In this article I'm going to show you techniques that can give your application some degree of tolerance for failures in dependent services. The basic concept is simple: we make the assumption that in most cases these failures are transient, so then when an operation fails, we just repeat it a few times, until it hopefully succeeds. Sounds easy, right? But as with most things, the devil is in the details, so keep reading if you want to learn how to implement a robust retry strategy.

How to Retry with Class



Implementing the "Soft Delete" Pattern with Flask and SQLAlchemy

Soft Deletes

Every time I find myself writing code to delete data from a database I get nervous. What if I later determine that I needed this piece of information, after all? For example, what if having access to this data that was deleted would have helped me reproduce or debug an issue? Or what if the data can be useful for audit purposes in a future version of the application?

You can find lots of reasons to never delete records from your database. But obviously these records that you saved from permanent deletion need to be marked as being "less interesting" than the rest, so that you have something you can use to filter them out in queries. The Soft Delete pattern is one of the available options to implement deletions without actually deleting the data. It does it by adding an extra column to your database table(s) that keeps track of the deleted state of each of its rows. This sounds straightforward to implement, and strictly speaking it is, but the complications that derive from the use of soft deletes are far from trivial. In this article I will discuss some of these issues and how I avoid them in Flask and SQLAlchemy based applications.



How Secure Is The Flask User Session?

Many times I hear people say that user sessions in Flask are encrypted, so it is safe to write private information in them. Sadly, this is a misconception that can have catastrophic consequences for your applications and, most importantly, for your users. Don't believe me? Below you can watch me decode a Flask user session in just a few seconds, without needing the application's secret key that was used to encode it.



Hey Miguel, What Are You Working On These Days?

Posted by Miguel Grinberg under Personal.

People are always curious about what I do at work. Up until some months ago, I was employed by Rackspace and worked on OpenStack development, something that made total sense and required no additional explanation. But then, in November of 2015 I decided to leave Rackspace to join an unknown little startup called SDVI Corporation. I have been working with them since.

I am constantly asked what is this SDVI thing, so I decided to put it in writing. Now, in the spirit of full disclosure, this isn't a completely innocent idea. SDVI is growing and is hiring full-stack developers, so with this article I not only want to satisfy your curiosity, but also pitch the company to those of you who might find that what we do is interesting.

UPDATE: I'm leaving this article up, but note that as of October 2016 I have left SDVI. If you are interested in applying to one of their jobs, please contact them directly, I am not involved with this company anymore.



"Flask At Scale" tutorial at PyCon 2016 in Portland

Pycon 2016 Logo

The tutorial line up for PyCon 2016 in Portland, Oregon has been announced, and I'm excited to be part of it with yet another Flask tutorial. For some odd reason, not all the class information I provided with my proposal was published on the PyCon website, so I want to give you a good overview of the material I plan to cover here, to help you decide if this tutorial is for you.