A comprehensive educational Flask web application designed to teach modern web development concepts with a strong focus on security implementation and best practices. This project demonstrates real-world security features including custom input sanitization that has been tested against OWASP ZAP, preventing various attack vectors.
This is an educational project built to:
- Learn Flask web development fundamentals
- Experiment with security features and understand their implementation
- Demonstrate custom security modules (like
sanitize_module.pythat passed OWASP ZAP testing) - Study attack prevention techniques (XSS, CSRF, injection attacks)
- Understand modern web application architecture
β οΈ Educational Focus: This application is designed for learning purposes and includes experimental security implementations that have been validated through security testing.
- Custom Input Sanitization: Proprietary
sanitize_module.pythat detects and prevents malicious input patterns - OWASP ZAP Tested: Security module validated against automated security scanning
- CSRF Protection: Flask-WTF integration for cross-site request forgery prevention
- Rate Limiting: Flask-Limiter implementation to prevent abuse
- Content Security Policy: CSP headers to mitigate XSS attacks
- Secure Authentication: Password hashing with session management
- User Authentication: Registration, login, logout with Flask-Login
- Role-Based Access: Admin and regular user permissions
- Todo Management: Full CRUD operations for task management
- Team Collaboration: Group-based task assignment and management
- Database ORM: SQLAlchemy with PostgreSQL support
- Input Validation: Comprehensive form validation and sanitization
- Responsive Design: Mobile-friendly interface
- Interactive Sliders: Image carousels for feature demonstrations
- Modern UI: Clean, professional design with smooth animations
- Accessibility: Semantic HTML and keyboard navigation support
- SVG Icon Integration: Replaced emoji icons with custom SVG files for better scalability and professional appearance
- Enhanced Footer: Added professional footer with copyright notice "Β© 2025 A J. All Rights Reserved." and GitHub link
- Responsive Footer Design: Two-column layout on desktop, stacked on mobile devices
- Icon Styling: Added proper CSS sizing and positioning for feature section SVG icons
- Security Enhancements: Updated footer links with
noopener noreferrersecurity attributes - Type Safety Fixes: Resolved Flask route type errors where
request.form.get()could returnNonebut functions expectedstr - Model Query Optimizations: Fixed SQLAlchemy query issues in user and group handling
- Backend: Python Flask 2.3+
- Database: PostgreSQL with SQLAlchemy ORM
- Security: Flask-WTF, Flask-Limiter, Custom sanitization
- Frontend: HTML5, CSS3, Vanilla JavaScript
- Testing: pytest framework
- Deployment: Gunicorn WSGI server support
apps/todo/
βββ app/
β βββ __init__.py # Flask app factory
β βββ models.py # SQLAlchemy database models
β βββ routes/ # Blueprint route handlers
β β βββ auth.py # Authentication routes
β β βββ main.py # Main application routes
β β βββ admin.py # Admin panel routes
β βββ security/ # Security modules
β β βββ rate_limit.py # Rate limiting logic
β β βββ sanitize_module.py # Custom input sanitization
β β βββ validation.py # Input validation
β βββ utils.py # Utility functions
β βββ error_handlers.py # Custom error pages
βββ static/
β βββ css/
β β βββ base.css # Global styles
β β βββ index.css # Homepage styles
β β βββ dashboard.css # Dashboard styles
β βββ images/ # Screenshots and assets
β βββ utils/
β βββ slider.js # Carousel functionality
βββ templates/
β βββ base.html # Base template
β βββ index.html # Landing page
β βββ login.html # Login page
β βββ register.html # Registration page
β βββ dashboard.html # User dashboard
β βββ admin/ # Admin templates
βββ tests/
β βββ conftest.py # pytest configuration
β βββ test_main_routes.py # Route testing
β βββ test_sanitize.py # Security testing
βββ requirements.txt # Python dependencies
βββ run.py # Application entry point
βββ README.md # This file
- Python 3.13 or higher
- PostgreSQL database
- Git
-
Clone the Repository
git clone https://github.com/AJIT301/Python-Flask-Todo.git cd Python-Flask-Todo/apps/todo -
Create Virtual Environment
# Windows python -m venv venv venv\Scripts\activate # Linux/Mac python -m venv venv source venv/bin/activate
-
Install Dependencies
pip install -r requirements.txt
-
Database Setup
# Create PostgreSQL database createdb flask_todo_db # Or use the provided database setup script python app/testdb.py
-
Environment Configuration Create a
.envfile in the project root:# Flask Configuration FLASK_APP=run.py FLASK_ENV=development SECRET_KEY=your-super-secret-key-change-this-in-production # Database Configuration DB_USER=your_db_username DB_PASSWORD=your_db_password DB_HOST=localhost DB_PORT=5432 DB_NAME=flask_todo_db # Optional: Server Configuration FLASK_RUN_HOST=127.0.0.1 FLASK_RUN_PORT=5000
-
Initialize Database
# Create tables and seed initial data python -m flask db upgrade python -m flask seed -
Run the Application
python run.py
-
Access the Application Open your browser and navigate to:
http://localhost:5000
After installation, seed your database with test data:
# Basic seeding with 10 todos
python -m flask seed
# Seed with custom number of todos
python -m flask seed --count 50
# Clear existing todos before seeding
python -m flask seed --clear --count 25
# Remove ALL data permanently (use with caution)
python -m flask seed --cleanThe seeder automatically creates:
qa- Quality Assurance Teamfrontend- Front-end Developersbackend- Back-end Developersfullstack- Full-stack Developersdevops- DevOps Engineersvibecoders- Vibe Coders Group
- Admin User:
admin/admin123 - Department Users: One user per group with password
password123alice_qa(QA)frank_frontend(Frontend)brian_backend(Backend)felix_fullstack(Fullstack)david_devops(DevOps)victor_vibecoders(VibeCoders)
- 6 predefined project deadlines (Q1 Delivery, Security Audit, etc.)
- 3 additional random deadlines
- Mix of active and inactive deadlines
- User-specific tasks: Each user gets at least one assigned task
- Group tasks: Each group gets at least one assigned task
- Random tasks: Additional tasks assigned randomly to users or groups
- Realistic data: Uses Faker library for varied, realistic content
# Login as admin
Username: admin
Password: admin123
# Login as department user
Username: alice_qa
Password: password123Authentication & Authorization:
- Register new user
- Login/logout functionality
- Admin panel access (admin only)
- User dashboard access
Todo Management:
- Create new todo (admin)
- Assign todo to user
- Assign todo to group
- Mark todo as complete/incomplete
- Edit existing todos
Group Functionality:
- View group-assigned tasks
- Admin assigns tasks to groups
- Users see their group tasks
Security Testing:
- Test input sanitization with malicious input
- Verify CSRF protection on forms
- Test rate limiting (multiple rapid requests)
- Check CSP headers in browser dev tools
Check seeded data:
# View all users
python -c "from app import create_app; app = create_app(); app.app_context().push(); from app.models import User; users = User.query.all(); [print(f'{u.username} - Admin: {u.is_admin}') for u in users]"
# View todos count
python -c "from app import create_app; app = create_app(); app.app_context().push(); from app.models import Todo; print(f'Total todos: {Todo.query.count()}')"
# View groups and members
python -c "from app import create_app; app = create_app(); app.app_context().push(); from app.models import UserGroup; groups = UserGroup.query.all(); [print(f'{g.name}: {len(g.members)} members') for g in groups]"# Create many todos for performance testing
python -m flask seed --count 500
# Clear and reseed with different data
python -m flask seed --clear --count 100
# Test with minimal data
python -m flask seed --clear --count 5Database Connection Issues:
# Test database connection
python -c "from app import create_app; app = create_app(); print('Database connected successfully')"Permission Issues:
- Ensure PostgreSQL user has proper permissions
- Check
.envfile has correct database credentials
Seeder Not Working:
# Check Flask app context
python -c "from app import create_app; app = create_app(); app.app_context().push(); print('App context working')"This seeding setup provides a complete testing environment with realistic data for all application features!
- OWASP ZAP Tested: Validated against automated security scanning
- Pattern Detection: Identifies XSS, SQL injection, and other attack patterns
- Score-Based Filtering: Multi-level threat assessment
- Logging: Suspicious inputs are logged for analysis
- Authentication: Secure password hashing with Werkzeug
- Session Management: Flask-Login for secure user sessions
- CSRF Protection: Flask-WTF tokens on all forms
- Rate Limiting: Request throttling to prevent abuse
- Input Validation: Server-side validation with custom rules
- Content Security Policy: Headers to prevent XSS execution
Run the test suite to verify functionality:
# Install test dependencies
pip install pytest pytest-cov
# Run all tests
pytest
# Run with coverage
pytest --cov=app --cov-report=html# Test input sanitization
pytest tests/test_sanitize.py -v
# Test route security
pytest tests/test_main_routes.py -v- Visit the homepage and click "Register"
- Fill in username, email, password
- Select your team/group
- Complete CAPTCHA verification
-
Create Tasks: Use the dashboard to add new todos
-
Assign Tasks: Admins can assign tasks to users or groups
-
Track Progress: Mark tasks as complete/incomplete
-
Filter Tasks: View tasks by status, date, or assignee
- Access admin panel at
/admin/dashboard - Manage users and groups
- Assign tasks to teams
- View system statistics
The custom sanitize_module.py has been tested against:
- OWASP ZAP: Automated security scanning
- Manual Penetration Testing: XSS and injection attempts
- Input Validation Testing: Edge cases and malicious payloads
- β XSS Prevention: 100% block rate on script injection attempts
- β SQL Injection: Pattern detection and sanitization
- β Input Validation: Comprehensive coverage of user inputs
- β Rate Limiting: Effective abuse prevention
This is an educational project focused on security learning. Contributions are welcome for:
- Security improvements
- Code quality enhancements
- Documentation updates
- Additional test cases
# Fork and clone
git clone https://github.com/your-username/Python-Flask-Todo.git
# Create feature branch
git checkout -b feature/security-improvement
# Make changes and test
pytest
# Submit pull requestThis project is licensed under the MIT License - see the LICENSE file for details.
- Educational Purpose: This application is designed for learning Flask and web security concepts
- Security Research: The custom sanitization module is experimental and should be reviewed by security professionals before production use
- Not Production Ready: Additional security hardening would be required for production deployment
- Database: Uses PostgreSQL - ensure you have it installed and configured
For questions about the security implementations or Flask development concepts:
- Review the code comments for detailed explanations
- Check the
learning_notes.txtfile for development insights - Examine the test files for usage examples
Happy learning and stay secure! π‘οΈπ