2012-06-09T06:44:24Z

The Flask Mega-Tutorial, Part V: User Logins

(Great news! There is a new version of this tutorial!)

This is the fifth article in the series in which I document my experience writing web applications in Python using the Flask microframework.

The goal of the tutorial series is to develop a decently featured microblogging application that demonstrating total lack of originality I have decided to call microblog.

NOTE: This article was revised in September 2014 to be in sync with current versions of Python and Flask.

Here is an index of all the articles in the series that have been published to date:

Recap

In the previous chapter of the series we created our database and learned how to populate it with users and posts, but we haven't hooked up any of that into our app yet. And two chapters ago we've seen how to create web forms and left with a fully implemented login form.

In this article we are going to build on what we learned about web forms and databases and write our user login system. At the end of this tutorial our little application will register new users and log them in and out.

To follow this chapter along you need to have the microblog app as we left it at the end of the previous chapter. Please make sure the app is installed and running.

An Update Regarding the State of OpenID

It's been more than three years ago that I wrote this article. Back then OpenID seemed like a nice authentication method that was gaining a lot of traction, but in 2015 there are better alternatives, and OpenID is not as widely deployed as it used to be.

I do not have plans to update this tutorial in the near future, as I have written extensively about other authentication methods elsewhere. When you follow this tutorial keep in mind that Google, which was the most prominent OpenID provider in 2012, has dropped support for this protocol completely. My recommendation is to use a Yahoo account to test OpenID in this tutorial. I have a few personal projects that still use OpenID and I use Yahoo as a provider with good results.

As far as real-world authentication, I do not think it is a good idea to use OpenID, given the lack of support. I have a few resources for you that can help you create a more modern authentication experience:

  • My Flask book covers a traditional username and password implementation, complete with user registration, password reminders and resets.
  • My OAuth Authentication with Flask blog article describes in detail how to implement OAuth authentication, which has much wider support than OpenID. With this method you can implement "Login with Facebook" type functionality. The article demonstrates how to login with Facebook and Twitter. Others, such as Google, LinkedIn, etc. can be implemented easily with the same technique.

Configuration

As in previous chapters, we start by configuring the Flask extensions that we will use. For the login system we will use two extensions, Flask-Login and Flask-OpenID. Flask-Login will handle our users logged in state, while Flask-OpenID will provide authentication. These extensions are configured as follows (file app/__init__.py):

import os
from flask_login import LoginManager
from flask_openid import OpenID
from config import basedir

lm = LoginManager()
lm.init_app(app)
oid = OpenID(app, os.path.join(basedir, 'tmp'))

The Flask-OpenID extension requires a path to a temp folder where files can be stored. For this we provide the location of our tmp folder.

Python 3 Compatiblity

Unfortunately version 1.2.1 of Flask-OpenID (the current official version) does not work well with Python 3. Check what version you have by running the following command:

$ flask/bin/pip freeze

If you have a version newer than 1.2.1 then the problem is likely resolved, but if you have 1.2.1 and are following this tutorial on Python 3 then you have to install the development version from GitHub:

$ flask/bin/pip uninstall flask-openid
$ flask/bin/pip install git+git://github.com/mitsuhiko/flask-openid.git

Note that you need to have git installed for this to work.

Revisiting our User model

The Flask-Login extension expects certain properties and methods to be implemented in our User class. Outside of these there are no requirements for how the class has to be implemented.

Below is our Flask-Login friendly User class (file app/models.py):

class User(db.Model):
    id = db.Column(db.Integer, primary_key=True)
    nickname = db.Column(db.String(64), index=True, unique=True)
    email = db.Column(db.String(120), index=True, unique=True)
    posts = db.relationship('Post', backref='author', lazy='dynamic')

    @property
    def is_authenticated(self):
        return True

    @property
    def is_active(self):
        return True

    @property
    def is_anonymous(self):
        return False

    def get_id(self):
        try:
            return unicode(self.id)  # python 2
        except NameError:
            return str(self.id)  # python 3

    def __repr__(self):
        return '<User %r>' % (self.nickname)

The is_authenticated property has a misleading name. In general this method should just return True unless the object represents a user that should not be allowed to authenticate for some reason.

The is_active property should return True for users unless they are inactive, for example because they have been banned.

The is_anonymous property should return True only for fake users that are not supposed to log in to the system.

Finally, the get_id method should return a unique identifier for the user, in unicode format. We use the unique id generated by the database layer for this. Note that due to the differences in unicode handling between Python 2 and 3 we have to provide two alternative versions of this method.

User loader callback

Now we are ready to start implementing the login system using the Flask-Login and Flask-OpenID extensions.

First, we have to write a function that loads a user from the database. This function will be used by Flask-Login (file app/views.py):

@lm.user_loader
def load_user(id):
    return User.query.get(int(id))

Note how this function is registered with Flask-Login through the lm.user_loader decorator. Also remember that user ids in Flask-Login are always unicode strings, so a conversion to an integer is necessary before we can send the id to Flask-SQLAlchemy.

The login view function

Next let's update our login view function (file app/views.py):

from flask import render_template, flash, redirect, session, url_for, request, g
from flask_login import login_user, logout_user, current_user, login_required
from app import app, db, lm, oid
from .forms import LoginForm
from .models import User

@app.route('/login', methods=['GET', 'POST'])
@oid.loginhandler
def login():
    if g.user is not None and g.user.is_authenticated:
        return redirect(url_for('index'))
    form = LoginForm()
    if form.validate_on_submit():
        session['remember_me'] = form.remember_me.data
        return oid.try_login(form.openid.data, ask_for=['nickname', 'email'])
    return render_template('login.html', 
                           title='Sign In',
                           form=form,
                           providers=app.config['OPENID_PROVIDERS'])

Notice we have imported several new modules, some of which we will use later.

The changes from our previous version are very small. We have added a new decorator to our view function. The oid.loginhandler tells Flask-OpenID that this is our login view function.

At the top of the function body we check if g.user is set to an authenticated user, and in that case we redirect to the index page. The idea here is that if there is a logged in user already we will not do a second login on top.

The g global is setup by Flask as a place to store and share data during the life of a request. As I'm sure you guessed by now, we will be storing the logged in user here.

The url_for function that we used in the redirect call is defined by Flask as a clean way to obtain the URL for a given view function. If you want to redirect to the index page you may very well use redirect('/index'), but there are very good reasons to let Flask build URLs for you.

The code that runs when we get a data back from the login form is also new. Here we do two things. First we store the value of the remember_me boolean in the flask session, not to be confused with the db.session from Flask-SQLAlchemy. We've seen that the flask.g object stores and shares data though the life of a request. The flask.session provides a much more complex service along those lines. Once data is stored in the session object it will be available during that request and any future requests made by the same client. Data remains in the session until explicitly removed. To be able to do this, Flask keeps a different session container for each client of our application.

The oid.try_login call in the following line is the call that triggers the user authentication through Flask-OpenID. The function takes two arguments, the openid given by the user in the web form and a list of data items that we want from the OpenID provider. Since we defined our User class to include nickname and email, those are the items we are going to ask for.

The OpenID authentication happens asynchronously. Flask-OpenID will call a function that is registered with the oid.after_login decorator if the authentication is successful. If the authentication fails the user will be taken back to the login page.

The Flask-OpenID login callback

Here is our implementation of the after_login function (file app/views.py):

@oid.after_login
def after_login(resp):
    if resp.email is None or resp.email == "":
        flash('Invalid login. Please try again.')
        return redirect(url_for('login'))
    user = User.query.filter_by(email=resp.email).first()
    if user is None:
        nickname = resp.nickname
        if nickname is None or nickname == "":
            nickname = resp.email.split('@')[0]
        user = User(nickname=nickname, email=resp.email)
        db.session.add(user)
        db.session.commit()
    remember_me = False
    if 'remember_me' in session:
        remember_me = session['remember_me']
        session.pop('remember_me', None)
    login_user(user, remember = remember_me)
    return redirect(request.args.get('next') or url_for('index'))

The resp argument passed to the after_login function contains information returned by the OpenID provider.

The first if statement is just for validation. We require a valid email, so if an email was not provided we cannot log the user in.

Next, we search our database for the email provided. If the email is not found we consider this a new user, so we add a new user to our database, pretty much as we have learned in the previous chapter. Note that we handle the case of a missing nickname, since some OpenID providers may not have that information.

After that we load the remember_me value from the Flask session, this is the boolean that we stored in the login view function, if it is available.

Then we call Flask-Login's login_user function, to register this is a valid login.

Finally, in the last line we redirect to the next page, or the index page if a next page was not provided in the request.

The concept of the next page is simple. Let's say you navigate to a page that requires you to be logged in, but you aren't just yet. In Flask-Login you can protect views against non logged in users by adding the login_required decorator. If the user tries to access one of the affected URLs then it will be redirected to the login page automatically. Flask-Login will store the original URL as the next page, and it is up to us to return the user to this page once the login process completed.

For this to work Flask-Login needs to know what view logs users in. We can configure this in the app's module initializer (file app/__init__.py):

lm = LoginManager()
lm.init_app(app)
lm.login_view = 'login'

The g.user global

If you were paying attention, you will remember that in the login view function we check g.user to determine if a user is already logged in. To implement this we will use the before_request event from Flask. Any functions that are decorated with before_request will run before the view function each time a request is received. So this is the right place to setup our g.user variable (file app/views.py):

@app.before_request
def before_request():
    g.user = current_user

This is all it takes. The current_user global is set by Flask-Login, so we just put a copy in the g object to have better access to it. With this, all requests will have access to the logged in user, even inside templates.

The index view

In a previous chapter we left our index view function using fake objects, because at the time we did not have users or posts in our system. Well, we have users now, so let's hook that up:

@app.route('/')
@app.route('/index')
@login_required
def index():
    user = g.user
    posts = [
        { 
            'author': {'nickname': 'John'}, 
            'body': 'Beautiful day in Portland!' 
        },
        { 
            'author': {'nickname': 'Susan'}, 
            'body': 'The Avengers movie was so cool!' 
        }
    ]
    return render_template('index.html',
                           title='Home',
                           user=user,
                           posts=posts)

There are only two changes to this function. First, we have added the login_required decorator. This will ensure that this page is only seen by logged in users.

The other change is that we pass g.user down to the template, instead of the fake object we used in the past.

This is a good time to run the application.

When you navigate to http://localhost:5000 you will instead get the login page. Keep in mind that to login with OpenID you have to use the OpenID URL from your provider. You can use one of the OpenID provider links below the URL text field to generate the correct URL for you.

As part of the login process you will be redirected to your provider's web site, where you will authenticate and authorize the sharing of some information with our application (just the email and nickname that we requested, no passwords or other personal information will be exposed).

Once the login is complete you will be taken to the index page, this time as a logged in user.

Feel free to try the remember_me checkbox. With this option enabled you can close and reopen your web browser and will continue to be logged in.

Logging out

We have implemented the log in, now it's time to add the log out.

The view function for logging out is extremely simple (file app/views.py):

@app.route('/logout')
def logout():
    logout_user()
    return redirect(url_for('index'))

But we are also missing a link to logout in the template. We are going to put this link in the top navigation bar which is in the base layout (file app/templates/base.html):

<html>
  <head>
    {% if title %}
    <title>{{ title }} - microblog</title>
    {% else %}
    <title>microblog</title>
    {% endif %}
  </head>
  <body>
    <div>Microblog:
        <a href="{{ url_for('index') }}">Home</a>
        {% if g.user.is_authenticated %}
        | <a href="{{ url_for('logout') }}">Logout</a>
        {% endif %}
    </div>
    <hr>
    {% with messages = get_flashed_messages() %}
    {% if messages %}
    <ul>
    {% for message in messages %}
        <li>{{ message }} </li>
    {% endfor %}
    </ul>
    {% endif %}
    {% endwith %}
    {% block content %}{% endblock %}
  </body>
</html>

Note how easy it is to do this. We just needed to check if we have a valid user set in g.user and if we do we just add the logout link. We have also used the opportunity to use url_for in our template.

Final words

We now have a fully functioning user login system. In the next chapter we will be creating the user profile page and will be displaying user avatars on them.

In the meantime, here is the updated application code including all the changes in this article:

Download microblog-0.5.zip.

See you next time!

Miguel

217 comments

  • #26 Miguel Grinberg said 2013-01-22T01:56:04Z

    @joshua: can you be more specific about the error(s) you see? Are you talking about the flaskext vs. flask.ext syntax?

  • #27 Sam said 2013-01-22T13:43:14Z

    Hello Miguel, being behind a cproxy, I failed to modify your code. Would you be able to advise?

  • #28 Miguel Grinberg said 2013-01-23T06:05:12Z

    @Sam: I don't understand what you mean. What code are you trying to modify?

  • #29 Sam said 2013-01-23T08:53:14Z

    @Miguel, sorry, I was not very clear. I have a company firewall that restrict my internet access. The openid module use urllib2 where there is a request to urllib2.open(request). For some reason, when I try to add a proxy handler to this, Flask returns an out of context error.

  • #30 Miguel Grinberg said 2013-01-24T02:09:41Z

    @Sam: looks like problems when authenticating from inside a firewall are not unheard of. This page may give you a few things to troubleshoot the problem: http://meta.stackoverflow.com/questions/1774/i-cant-log-in-with-my-openid-troubleshooting-tips

  • #31 Greg Lindstrom said 2013-02-03T18:18:21Z

    Great tutorials! Under the Revisiting our User Model section, the repr() method references self.name where it should be self.nickname (I believe). It may give people some grief if they are using "cut and paste" technology.

  • #32 Miguel Grinberg said 2013-02-03T18:29:16Z

    @Greg: Fixed. Thanks!

  • #33 Tian Siyuan said 2013-02-04T04:35:15Z

    It worked once. And I can see the log in the terminal.

    When I try again, nothing happens.

  • #34 George Mabley said 2013-02-07T05:15:03Z

    I only noticed it in later lessons, but I have the same problem as Peter earlier. The nickname split works great for e-mails, but not urls. I can get it to work for urls, but not without breaking the old split. Any tips for extracting a nickname for both e-mail and url OpenIDs?

  • #35 Miguel Grinberg said 2013-02-07T06:33:12Z

    @George: is the OpenID provider you are using returning an URL in the email field? Or is the email coming back empty so you want to use an URL instead? In my opinion a valid email should be required to register, if an email isn't provided maybe the registration should fail and the user must be redirected back to the login page.

  • #36 George said 2013-02-07T13:52:10Z

    When using MyOpenID, a url such as http://name.myopend.com is returned rather than name@myopend.com. I did not think about how it would be valuable to always have an email on file, so your solution of returning an error will work well. Thank you!

  • #37 Soferio said 2013-02-10T01:04:56Z

    Great tutorials. I changed my imports to the following:

    from flask_login import LoginManager from flask_openid import OpenID

  • #38 AA said 2013-02-11T03:55:06Z

    As of Flask 0.8, it flaskext changed to flask.ext

  • #39 Miguel Grinberg said 2013-02-11T04:44:56Z

    @AA: you are correct. I updated the code on github a while ago, I just missed updating the code snippets here in the article. Everything should be updated now. Thanks.

  • #40 lv10 said 2013-02-16T02:18:00Z

    Miguel, the 'user' part in the 'g.user' does this 'user' refer to the 'User' we defined for the database? I'm a little bit confused on how this part actually works?

  • #41 Miguel Grinberg said 2013-02-16T02:36:19Z

    @lv10: No, "g" is a global dictionary that is accessible to all requests and templates. You can put whatever you want in it. I have elected to write the current user as "g.user". This is done in the before_request handler so that it is always set before Flask calls the proper view function.

  • #42 Francisco De La Cruz said 2013-02-24T14:50:27Z

    Hi, this is an outstanding tutorial I have learned so much so far. I have an issue, once I login, I dont see the logout link anywhere. I have gone through the code over and oven and even downloaded your zip to no avail. What can be the issue?

  • #43 Miguel Grinberg said 2013-02-24T18:09:50Z

    @Francisco: the logout link is not in the code, it is in the base.html template. Have you compared this template from my github project with your own version?

  • #44 Francisco De La Cruz said 2013-02-24T19:14:18Z

    Hi Miguel, thanks, it seems like I missed the index.html that extended base.html back in part II

  • #45 jkdresser said 2013-02-25T09:20:23Z

    Thank you, jaco, for that lead. I was having trouble getting both "lm" defined & importable, and having my views visible to Flask. Its mention of namespaces led me to compare my manually & haphazardly built init.py against Miguel's official version and discovered that the order of definitions and imports there is important (and close to magic, given my current level of Python knowledge).

  • #46 WS said 2013-03-26T09:41:30Z

    @Miguel: I have followed your steps to build the 'microblog' app, but get stuck in this step. I can't login through an openid. I was led to the verification page, but can't return to be the verified state. The browser just present following information:

    Python Urlfetch Error: 'GET'

    DNSLookupFailedError('DNS lookup failed for URL: http://127.0.0.1:5000/login?next=/&openid_complete=yes&janrain_nonce=2013-03-26T09%3A37%3A48Z940CAW&openid.ns=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0&openid.op_endpoint=https%3A%2F%2Fapi.screenname.aol.com%2Fauth%2FopenidServer&openid.claimed_id=http%3A%2F%2Fopenid.aol.com%2Funderthesun314&openid.response_nonce=2013-03-26T09%3A38%3A17Z1cc9b75208a43218a304&openid.mode=id_res&openid.identity=http%3A%2F%2Fopenid.aol.com%2Funderthesun314&openid.return_to=http%3A%2F%2F127.0.0.1%3A5000%2Flogin%3Fnext%3D%2F%26openid_complete%3Dyes%26janrain_nonce%3D2013-03-26T09%253A37%253A48Z940CAW&openid.assoc_handle=d1d7c14a95f811e2b793002655277584&openid.signed=op_endpoint%2Cclaimed_id%2Cidentity%2Creturn_to%2Cresponse_nonce%2Cassoc_handle%2Cns.sreg%2Cns.ext2%2Csreg.email%2Cext2.type.email%2Cext2.value.email%2Cext2.mode&openid.sig=aM2VIwHlEL%2FXprbdCCp7%2B3k0vD4%3D&openid.ns.sreg=http%3A%2F%2Fopenid.net%2Fsreg%2F1.0&openid.sreg.email=underthesun314%40aol.com&openid.ns.ext2=http%3A%2F%2Fopenid.net%2Fsrv%2Fax%2F1.0&openid.ext2.type.email=http%3A%2F%2Faxschema.org%2Fcontact%2Femail&openid.ext2.value.email=underthesun314%40aol.com&openid.ext2.mode=fetch_response',), deadline=60 DNSLookupFailedError('DNS lookup failed for URL: http://127.0.0.1:5000/login?next=/&openid_complete=yes&janrain_nonce=2013-03-26T09%3A37%3A48Z940CAW&openid.ns=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0&openid.op_endpoint=https%3A%2F%2Fapi.screenname.aol.com%2Fauth%2FopenidServer&openid.claimed_id=http%3A%2F%2Fopenid.aol.com%2Funderthesun314&openid.response_nonce=2013-03-26T09%3A38%3A17Z1cc9b75208a43218a304&openid.mode=id_res&openid.identity=http%3A%2F%2Fopenid.aol.com%2Funderthesun314&openid.return_to=http%3A%2F%2F127.0.0.1%3A5000%2Flogin%3Fnext%3D%2F%26openid_complete%3Dyes%26janrain_nonce%3D2013-03-26T09%253A37%253A48Z940CAW&openid.assoc_handle=d1d7c14a95f811e2b793002655277584&openid.signed=op_endpoint%2Cclaimed_id%2Cidentity%2Creturn_to%2Cresponse_nonce%2Cassoc_handle%2Cns.sreg%2Cns.ext2%2Csreg.email%2Cext2.type.email%2Cext2.value.email%2Cext2.mode&openid.sig=aM2VIwHlEL%2FXprbdCCp7%2B3k0vD4%3D&openid.ns.sreg=http%3A%2F%2Fopenid.net%2Fsreg%2F1.0&openid.sreg.email=underthesun314%40aol.com&openid.ns.ext2=http%3A%2F%2Fopenid.net%2Fsrv%2Fax%2F1.0&openid.ext2.type.email=http%3A%2F%2Faxschema.org%2Fcontact%2Femail&openid.ext2.value.email=underthesun314%40aol.com&openid.ext2.mode=fetch_response',), deadline=120

  • #47 Miguel Grinberg said 2013-03-26T16:15:36Z

    @WS: some OpenID providers need to contact the originating web server for security purposes, so you can't use those with a server that does not have a public IP address.

  • #48 jacob said 2013-04-09T18:17:53Z

    I have 2 yahoo accounts and both with the same nickname, so when I tried to login with them it said nickname is not unique? i changed the value on models to make it not unique, but i still get the error. Shouldn't it be possible to have more than 1 jacob in the database as long as the key is unique?

  • #49 Miguel Grinberg said 2013-04-10T16:18:30Z

    @jacob: you also need to recreate the database, or at least add a migration that removes the unique restriction. Note that a change this subtle will not be automatically picked up by sqlachemy-migrate, you will need to handle this migration manually.

  • #50 Krish said 2013-04-27T18:53:05Z

    FYI, initially I got "can not import lm" error when I used lm.setup_app(app) as mentioned in the tutorial.

    Then changed to lm.init_app(app) as per your code in microblog-0.5.zip and it is now working fine.