Authentication & Authorization

Authentication and authorization are common requirements for web applications. Flask recommends using Flask-Login for session login, combined with role/permission models for authorization.

Installation:

bash

pip install flask-login

Initialization:

python

from flask_login import LoginManager
login_manager = LoginManager()

# app/__init__.py
def create_app():
    login_manager.init_app(app)
    login_manager.login_view = "auth.login"

User Model and Loading:

python

from flask_login import UserMixin
from .extensions import db

class User(db.Model, UserMixin):
    id = db.Column(db.Integer, primary_key=True)
    email = db.Column(db.String(120), unique=True, nullable=False)
    password_hash = db.Column(db.String(255), nullable=False)

@login_manager.user_loader
def load_user(user_id):
    return User.query.get(int(user_id))

Login Views:

python

from flask_login import login_user, logout_user, login_required, current_user

@bp.post("/login")
def login():
    # Validate username and password
    login_user(user, remember=True)
    return redirect(url_for("index"))

@bp.get("/logout")
@login_required
def logout():
    logout_user()
    return redirect(url_for("index"))

Authorization:

Use @login_required to protect routes that require login
Role permissions: Design roles/permissions tables and check in view前置

Password Security:

python

from werkzeug.security import generate_password_hash, check_password_hash
hash = generate_password_hash("secret")
check_password_hash(hash, "secret")

Authentication & Authorization ​

Authentication & Authorization