## Flask Framework

Flask is a web application framework written in Python. It is developed by `Armin Ronacher`, who leads an international group of Python enthusiasts named `Pocco`. Flask is based on the `Werkzeug` a `WSGI` toolkit and `Jinja2` template engine. Both are `Pocco` projects.

### Installation

We will be installing flask in an `virtualenv`, So lets first create a virtualenv. With Python 3 we dont have to install virtualenv as it comes a custom version of it. But you can still install it if you wish to do so.   

#### Installing virtualenv

```
$ pip install virtualenv
```

#### Creating virtualenv

If you have installed virtualenv then use the following command to creating virtual environment to use in your project. 

```
$:> cd <project_folder>
$:> virtualenv venv
```
but if you wish the use python's own virtualenv then use the following command 

```
$:> cd <project_folder>
$:> python -m venv venv
```
The above commands will create a venv folder which will contain our virtual environment to use. Before using the it we need to activate it and it will start our virtual environment for us.  

#### Activating virtualenv

We need to activate virtualenv before we can use it. 

```
$:> source venv/bin/activate
```
On Windows OS, please run the following command 
```
C:> venv\Scripts\activate
```

#### Installing flask

Now, lets install flask module using `pip` command.
```
$ pip install Flask
```
The above command will install `flask` module for us. We will still need internet connection for it to run ;) as `pip` commands not only install `Flask` but also its dependencies such as 
- `Werkzeug` implements WSGI, the standard Python interface between applications and servers.
- `Jinja` is a template language that renders the pages your application serves.
- `MarkupSafe` comes with Jinja. It escapes untrusted input when rendering templates to avoid injection attacks.
- `ItsDangerous` securely signs data to ensure its integrity. This is used to protect Flask’s session cookie.
- `Click` is a framework for writing command line applications. It provides the flask command and allows adding custom management commands.

### Application

Lets create a basic application in flask. Showcasing function name in `telugu` language.

```python
"""file_name: 01_min.py"""
from flask import Flask


app = Flask(__name__)


@app.route('/', methods=['GET'])
def రేమకు_స్వాగతం():
    """swagatham in telugu language."""
    return "<h1>రేమకు స్వాగతం</h1>"


if __name__ == '__main__':
    app.run()
```

Lets discuss its various sections, 

First we import `Flask` from `flask` application, then we create an `app` from `Flask`, next we create some `routes`, and finally we execute the created flask `app`.

#### Application in `debug` mode

```python
"""file_name: 01_01_minapp_debug_mode.py"""
from flask import Flask


app = Flask(__name__)


@app.route('/', methods=['GET'])
def రేమకు_స్వాగతం():
    """swagatham in telugu language."""
    return "<h1>రేమకు స్వాగతం</h1>"


if __name__ == '__main__':
    app.run(debug=True)
```

#### Running the applicataion

```
python <flask_app.py>
```

##### Externally Visible Server

The following command will run the flask application run on all the available ipaddresses 

```
flask run --host=0.0.0.0
```

or, we can provide the same in the code as shown below 

```python
""" 03_externally_visible.py"""
from flask import Flask


app = Flask(__name__)


@app.route('/', methods=['GET'])
def రేమకు_స్వాగతం():
    """swagatham in telugu language."""
    return "రేమకు స్వాగతం"


if __name__ == '__main__':
    app.run(debug=True, port=20202, host="0.0.0.0")
```

```
python <flask_app.py>
```

### Routing

`route()` decorator of the `Flask` class tells the application which URL/request type should be mapped to the below function. Its syntax is as follows

> `app.route(rule, options)`

- `rule`: It binds a URL with its function, such as `/login`, `/register` etc. The URL's here are relative in nature. 

- `options`: It contains a parameter `methods` which should be a list of methods which this `rule` should route  (`GET`, `POST` etc.).  By default a rule just listens for `GET` (and implicitly `HEAD`)

Most `modern web frameworks` employ `routing` technique in mapping application `URLs` to `functions`.

```python
"""02_route_example.py"""
from flask import Flask


app = Flask(__name__)


@app.route('/telugu')
def రేమకు_స్వాగతం():
    """swagatham in telugu language."""
    return "రేమకు స్వాగతం"


@app.route('/tamil')
def நல்வரவு():
    """swagatham in tamil language."""
    return "நல்வரவு"


@app.route('/kannada')
def ಸುಸ್ವಾಗತ():
    """swagatham in kannada language."""
    return "ಸುಸ್ವಾಗತ"


@app.route('/german')
def Willkommen():
    """swagatham in german language."""
    return "Willkommen"


@app.route('/Hebrew')
def Shalom():
    """swagatham in Hebrew language."""
    return "Shalom"


if __name__ == '__main__':
    app.run()
```

We can also bind the urls with functions using `add_url_rule()` as shown below

 ```python
"""
04_add_url_rule.py: Example using add_url_rule.

- We are adding tamil, telugu using code before the app is run.
- We are adding kannada at runtime after the server has started.
"""
from flask import Flask


def telugu():
    """swagatham in telugu language."""
    return "రేమకు స్వాగతం"


def tamil():
    """swagatham in tamil language."""
    app.add_url_rule("/kannada", None, kannada)
    return "நல்வரவு"


def kannada():
    """swagatham in kannada language."""
    return "ಸುಸ್ವಾಗತ"


if __name__ == '__main__':
    rules = {
        'telugu': telugu,
        'tamil': tamil,
    }

    app = Flask(__name__)
    for rule, func in rules.items():
        app.add_url_rule(f'/{rule}', None, func)
    app.run()

```

### Variable Rules

Flask can process the variable parts to a URL by marking these special sections as <variable_name> which are then passed as a keyword argument to the function. Also a converter can be used by specifying a rule with <converter:variable_name> as shown in the examples below

```python
""" 05_swagatham_with_dynamic_rules_2.py
Example using add_url_rule."""
from flask import Flask


app = Flask(__name__)


@app.route('/welcome:<language>')
def select_welcome(language):
    rules = {
        'telugu': రేమకు_స్వాగతం,
        'tamil': நல்வரவு,
        'kannada': ಸುಸ್ವಾಗತ
    }
    print(language)
    return rules[language]()


def రేమకు_స్వాగతం():
    """swagatham in telugu language."""
    return "రేమకు స్వాగతం"


def நல்வரவு():
    """swagatham in tamil language."""
    return "நல்வரவு"


def ಸುಸ್ವಾಗತ():
    """swagatham in kannada language."""
    return "ಸುಸ್ವಾಗತ"


if __name__ == '__main__':
    app.run()
```

We can also define the datatype of the parameter using the following table

| string | accepts any text without a slash (the default) |
|--------|------------------------------------------------|
| int    | integers                                       |
| float  | floating point values                          |
| path   | similar to default but also accepts slashes    |
| any    | matches one of the items provided              |
| uuid   | accepts UUID strings                           |

```python
"""Example for variable rules."""
# 05.01_swagatham_with_variables.py

from flask import Flask
from random import randint, uniform

app = Flask(__name__)


@app.route('/get_rand:<int:num>')
def get_random_int(num):
    print("get_random_int", num)
    return str(randint(1, int(num)))


@app.route('/get_rand:<float:num>')
def get_random_float(num):
    print(num)
    return str(uniform(0, float(num)))


@app.route("/get_rand:<num>")
def get_any_rand(num):
    """Every <num> except of data type int & float are handled here"""
    return "not found"


if __name__ == '__main__':
    app.run()

```

### URL Building

To build a URL to a specific function you can use the `url_for()` function. It accepts the `name` of the `function` as `first argument` and a number of keyword arguments, each corresponding to the variable part of the URL rule. Unknown variable parts are appended to the URL as query parameters.

```python
"""url_for.py"""
from flask import Flask
from flask import abort, redirect, url_for

app = Flask(__name__)


@app.route('/telugu')
def telugu():
    """swagatham in telugu language."""
    return "రేమకు స్వాగతం"


@app.route('/tamil')
def tamil():
    """swagatham in tamil language."""
    return "நல்வரவு"


@app.route('/kannada')
def kannada():
    """swagatham in kannada language."""
    return "ಸುಸ್ವಾಗತ"


@app.route('/english')
def english():
    """swagatham in english language, but it will abort."""
    abort(404)

@app.route('/welcome:<language>')
def welcome(language):
    return redirect(url_for(language.lower()))


@app.route('/wel:<language>')
def wel(language):
    return redirect("/" + language.lower())


if __name__ == '__main__':
    app.run()

```

### HTTP methods

`HTTP` protocol supports multiple methods for accessing URLs. By default, `GET` requests are handled for any requests, using `methods` argument to the route() decorator other methods can also be served as shown in the examples below

```python
from flask import request

@app.route('/logmein', methods=['GET', 'POST'])
def logmein():
    if request.method == 'POST':
        validate_login(request.data)
    else:
        show_login()
```         

#### Methods

- **GET**: The browser tells the server to just get the information stored on that page and send it. This is probably the most common method.


- **HEAD**: The browser tells the server to get the information, but it is only interested in the headers, not the content of the page. An application is supposed to handle that as if a GET request was received but to not deliver the actual content. In Flask you don’t have to deal with that at all, the underlying Werkzeug library handles that for you.


- **POST**: The browser tells the server that it wants to post some new information to that URL and that the server must ensure the data is stored and only stored once. This is how HTML forms usually transmit data to the server.


- **PUT**: Similar to POST but the server might trigger the store procedure multiple times by overwriting the old values more than once. Now you might be asking why this is useful, but there are some good reasons to do it this way. Consider that the connection is lost during transmission: in this situation a system between the browser and the server might receive the request safely a second time without breaking things. With POST that would not be possible because it must only be triggered once.


- **DELETE**: Remove the information at the given location.

```python
"""
Echo Implementation in flask.
# 07_methods.py
"""
from flask import Flask, request


app = Flask(__name__)


@app.route('/echo', methods=['GET', 'POST'])
def echo():
    if request.method == 'POST':
        print(request.form)
        return request.form['echo']
    else:
        return """<html>
        <body>
           <form action="/echo" method="post">
              Text to echo: <input type="text" name="echo"><br>
              <input type="submit" value="Submit">
            </form>
        </body></html>
        """


if __name__ == '__main__':
    app.run(debug=True)
```

### Rendering Templates

Details in `jinja2` chapter

### Static Files

Web server also host many static files like `css`, `js`, `png`, `jpg`, `mov`, `avi`, `swf` etc. Flask provide a way to handle these types of files. A folder named `static` can be created under project structure where all these types of files can be stored. 

These files can be accessed using the following code. 

```python
url_for('static', filename='myfonts.ttf')
```

### Request Object

Flask provides "request object" to access the incoming data for any request. It holds all incoming data from the request, includeing the `headers` details (`mimetype`, `referrer`, `IP address`, `HTTP method`, etc), request data such as cookies, forms, args & files etc.

Most common attributes of it are 
- `args`: Query string (string after question mark in URL) in dictionary format
- `method`: current request method
- `Cookies`: dictionary object holding Cookie names and values
- `files`:  data pertaining to uploaded file
- `form`: The form data contained in dictionary format

### Query Arguments

They are URL argument which are added to a query string, is the simpliest way to pass small non secure data to a web app. 
They look something like this

`search?q=arya%20samaj&sourceid=chrome&ie=UTF-8`

where it is passing three values:

- q = "arya samaj",
- sourceid = "chrome"
- ie = "UTF8

The query string begins after the question mark (?) in URL and is a list of key-value pairs separated by an ampersand (&). Key and values are seperated by an equals sign (=) like in the above example.

| Key      | value       |
|----------|-------------|
| q        | arya samaj  |
| sourceid | chrome      |
| ie       | UTF8        |

#### How to read them in Flask

Lets take a simple example, we have an assessment application on various topics. Candidates are provided one question at a time and on clicking on "next" button they are taken to next question. All the questions are stored in a SQLite DB and by providing the question id we extract the question. So the request url will be something like this:

> "assessment?question=10&topic=2"

We can use request object object to read it as we read a dictionary. 

```python
request.args.get('question') 
# or use the following with default value as ''
request.args.get('question', '') 
# or 
request.args['question']
```


```python
"""
08.01_url_args.py
"""
from flask import Flask
from flask import abort, request, redirect, url_for

app = Flask(__name__)


@app.route('/telugu')
def telugu():
    """swagatham in telugu language."""
    return "రేమకు స్వాగతం"


@app.route('/tamil')
def tamil():
    """swagatham in tamil language."""
    return "நல்வரவு"


@app.route('/kannada')
def kannada():
    """swagatham in kannada language."""
    return "ಸುಸ್ವಾಗತ"


@app.route('/english')
def english():
    """swagatham in english language, but it will abort."""
    abort(404)


@app.route('/welcome')
def welcome():
    language = request.args.get("language", "english")
    name = request.args.get("name", "not found")
    print(name)
    return redirect(url_for(language.lower()))


if __name__ == '__main__':
    app.run(debug=True)
```

Below is another example, of how we can use the arguments. This code is taken from the file `app.py` of `pareekshan` sample web application, which can be found at https://gitlab.com/mayankjohri/LetsExplorePython/tree/master/Section%202%20-%20Advance%20Python/Chapter%20S2.06%20-%20Web%20Development%20&%20REST%20API%20Servers/code/pareekshan/001.

```python
@app.route("/start_quiz", methods=['GET'])
def start_quiz():
    no = 5
    topic_id = request.args.get('topic', 0)
    questions = Questions.query.order_by(
        func.random()).with_entities(Questions.id).filter(
        Questions.topics_id == topic_id).limit(no)
    quest = []
    # still need to find better method to extract the values.
    quest = [q[0] for q in questions]
    return render_template("start_quiz.html", questions=quest)
```

In the above example, the url with which we call this API is `http://<server>/start_quiz?topic=2`, and we use

```python
topic_id = request.args.get('topic')
```
   

### Sending Form Data to Template

Form data is passed to flask in the dictionary format, thus we can pass entire form as is to the required template as shown below.

The most common usecase if it is while registering, where we need user to cross verify the filled in details. We have taken the same as an example.    

For this to work we need three files, 
- `app.py`: Which contains the python code
- `register.html`: which contains html page where user provides his details
- `validate.html`: which is populated with the provided detail 

##### app.py

```python
#!/usr/bin/env python
# coding=utf-8
from flask import Flask, render_template, request, redirect, url_for
from flask import jsonify
from flask_sqlalchemy import SQLAlchemy
from sqlalchemy import ForeignKey
from sqlalchemy.orm import relationship
from sqlalchemy.sql.expression import func


app = Flask(__name__)
app.config['SQLALCHEMY_DATABASE_URI'] = 'sqlite:///../db/users.sqlite'

db = SQLAlchemy(app)


class User(db.Model):
    __tablename__ = "user"
    id = db.Column(db.Integer, primary_key=True)
    username = db.Column(db.String)
    first_name = db.Column(db.String)
    last_name = db.Column(db.String)

    questions = relationship("Questions", back_populates="topics")


@app.route("/regval", methods=['GET', 'POST'])
def register():
    """
    It requests for user details and then validate them,
    once validated, new valid user is added to db.
    """
    if request.method == 'POST':
        return render_template("validate.html", result=request.form)
    else:
        return render_template("register.html")


if __name__ == "__main__":
    app.run(debug=True)
```

##### register.html

```html
<!doctype html>
<html>
   <body>
        <div>Please enter the user details:</div>
        <form action = "/regval" method = "POST">
            <p>username <input type = "text" name = "username" /></p>
            <p>First Name <input type = "text" name = "first_name" /></p>
            <p>Last Name <input type = "text" name = "last_name" /></p>
            <p><input type = "submit" value = "submit" /></p>
        </form>
   </body>
</html>
```

##### validate.html

```html
<!doctype html>
<html>
   <body>
      <table border = 1>
         {% for key, value in result.items() %}

            <tr>
               <th> {{ key }} </th>
               <td> {{ value }} </td>
            </tr>

         {% endfor %}
      </table>
      <button onclick="goBack()">Go Back</button>
      <button id='submit'>Submit</button>
    <script>
    function goBack() {
        window.history.back();
    }
    </script>
   </body>
</html>
```

### Cookies

An `HTTP cookie` (also known as `web cookie`, `Internet cookie`, `browser cookie`, or simply `cookie`) is a specific dataset sent from a website and stored on the user's computer by the user's web browser while the user is browsing. Cookies were designed to be a reliable mechanism for websites to remember stateful information (such as items added in the shopping cart in an online store) or to record the user's browsing activity (including clicking particular buttons, logging in, or recording which pages were visited in the past). They can also be used to remember arbitrary pieces of information that the user previously entered into form fields such as names, addresses, passwords, and credit card numbers.

Almost every request/response contains a cookie’s attribute which is a dictionary object of all the cookie variables and their corresponding values. It can also stores its expiry time, path and domain name of the site.

We can store almost any type of data in it. 

Flask allows us to read and write cookies using `set_cookie` and `request.cookies.get`

#### `set_cookie`

Lets send the unique `uuid` as cookie to the browser 

##### app.py

```python
# code from app.py, its not full app.py
from uuid import uuid4
resp = make_response(render_template('register.html'))
# print(type(uuid4()))
resp.set_cookie('uuid', str(uuid4()))
return resp
```

##### register.html

```html
<!doctype html>
<html>
   <body onload="display_uuid()">
        <div>Please enter the user details:</div>
        <form action = "/regval" method = "POST">
            <p>username <input type = "text" name = "username" /></p>
            <p>First Name <input type = "text" name = "first_name" /></p>
            <p>Last Name <input type = "text" name = "last_name" /></p>
            <p><input type = "submit" value = "submit" /></p>
        </form>
        <div><label id="uuid"></label></div>
        <script>
            function getCookie(cname) {
                var name = cname + "=";
                var decodedCookie = decodeURIComponent(document.cookie);
                var ca = decodedCookie.split(';');
                for(var i = 0; i <ca.length; i++) {
                    var c = ca[i];
                    while (c.charAt(0) == ' ') {
                        c = c.substring(1);
                    }
                    if (c.indexOf(name) == 0) {
                        return c.substring(name.length, c.length);
                    }
                }
                return "";
            };

            function display_uuid(){
                var uuid = getCookie("uuid");
                console.info(uuid);
                document.getElementById("uuid").innerHTML = uuid;
            };
        </script>
   </body>
</html>
```

#### Read Cookie from response

##### app.py

```python
# code from app.py, its not full app.py
if request.method == 'POST':
    random_num = request.cookies.get("random_num", "")
    print(random_num)
    return render_template("validate.html",
                           result=request.form,
                           cookie=random_num)
```

##### validate.html

```html
<!doctype html>
<html>
   <body>

      <table border = 1>
         {% for key, value in result.items() %}

            <tr>
               <th> {{ key }} </th>
               <td> {{ value }} </td>
            </tr>

         {% endfor %}
            <tr>
               <th> cookie</th>
               <td> {{cookie}}</td>
      </table>
      <button onclick="goBack()">Go Back</button>
      <button id='submit'>Submit</button>
<script>
function goBack() {
    window.history.back();
}
</script>
   </body>
</html>
```

### Sessions

It allows server to store information specific to a user between his various requests to server.It is implemented on top of `cookies` and for security reasons resultant cookies are encrypted / signed cryptographically. Which results in read only cookies for the Browser for all practical purpose.


Flask provide `session` module to help us in this regards. Lets update out previous example with session, In this we are going to ask users to provide their name along with the subject of the test which they wish to take. 

**Updated `app.py`** 

In [None]:
#!/usr/bin/env python
# coding=utf-8
from flask import Flask, render_template, request, url_for, redirect
from flask import session
from flask_sqlalchemy import SQLAlchemy
from sqlalchemy import ForeignKey
from sqlalchemy.orm import relationship
from sqlalchemy.sql.expression import func

from utils import get_rand_string


app = Flask(__name__)
app.secret_key = get_rand_string(15, 20)
app.config['SQLALCHEMY_DATABASE_URI'] = 'sqlite:///../db/questions.sqlite'
db = SQLAlchemy(app)


class Topics(db.Model):
    __tablename__ = "topics"
    id = db.Column(db.Integer, primary_key=True)
    name = db.Column(db.String)
    questions = relationship("Questions", back_populates="topics")


class Questions(db.Model):
    __tablename__ = "questions"
    id = db.Column(db.Integer, primary_key=True)
    question = db.Column(db.String)
    topics_id = db.Column(db.Integer, ForeignKey('topics.id'))
    topics = relationship("Topics", back_populates="questions")
    choices = relationship("Choice", back_populates="questions")


class Choice(db.Model):
    __tablename__ = "choice"
    id = db.Column(db.Integer, primary_key=True)
    question_id = db.Column(db.Integer, ForeignKey('questions.id'))
    questions = relationship("Questions", back_populates="choices")
    choice = db.Column(db.String)
    correct = db.Column(db.Boolean)


def get_topics():
    result = Topics.query.with_entities(Topics.name).all()
    result = [r for r, in result]
    print(result, flush=True)
    return result


@app.route("/")
def home():
    topics = Topics.query.with_entities(Topics.id, Topics.name).all()
    topic_details = [r for r in topics]
    return render_template("index.html",
                           topics=topic_details)


@app.route("/check_user", methods=["POST"])
def check_user():
    if "username" not in session:
        topic = request.form.get("topic")
        username = request.form.get("username")
        session['username'] = username
        print(username, topic)
        return redirect('/start_quiz?topic={topic}'.format(
                        topic=topic))


@app.route("/moolyaankan", methods=["POST"])
def moolyaankan():
    print("moolyaankan")
    result = {
        "correct": 0,
        "wrong": 0
    }
    for quest, sel in request.form.items():
        # !!! Bad coding practice, will fix in later versions !!!
        # Lets validate if the selected answers are correct or not.
        question = Questions.query.filter(
            Questions.id == quest).first()
        print(question)
        got_it = False
        for ch in question.choices:
            # print(ch.correct, ch.id, sel, ch.correct and ch.id == int(sel))
            if ch.correct and ch.id == int(sel):
                print("!!! Hurrey !!!")
                got_it = True
        if got_it:
            result["correct"] += 1
        else:
            result["wrong"] += 1
    return render_template("result.html", correct=result["correct"],
                           wrong=result["wrong"])


@app.route("/one_q", methods=['GET'])
def one_q():
    print(request.args)
    q_id = request.args.get("q_id")
    question = Questions.query.filter(Questions.id == q_id).first()
    return render_template("one_q.html", question=question)


@app.route("/start_quiz", methods=['GET'])
def start_quiz():
    no = 5
    topic_id = request.args.get('topic')
    username = session['username']
    questions = Questions.query.order_by(
        func.random()).with_entities(Questions.id).filter(
        Questions.topics_id == topic_id).limit(no)

    quest = [q[0] for q in questions]

    return render_template("start_quiz.html", questions=quest,
                           username=username)


@app.route("/show_result", methods=['POST'])
def show_result():
    selections = request.form
    correct_answers = 0
    for k, v in selections.items():
        if k.startswith("choice_"):
            print(Choice.query.filter(Choice.id == v).first().id)
            if Choice.query.filter(Choice.id == v).first().correct == 1:
                correct_answers += 1
            print(k, v)
    return "Thanks a lot:<br>Total correct Answers= " + str(correct_answers)


if __name__ == "__main__":
    app.run(debug=True)


We have updated few methods to accomodate the session, `check_user` was added and `index.html` and `start_quiz.html` were updated as shown below

**`index.html`**

```html
{% extends "base.html" %}

{% block content %}
<h1>Please select a topic to evaluation</h1>
<form id="select_topic" action="/check_user" method="POST" >
     <select name="topic">
        {% for topic in topics %}
            <option value="{{ topic[0] }}">{{topic[1]}}</option>
        {% endfor %}
    </select>
    <label>Username: </label><input type="input" name="username"/>
    <input type="submit"/>
</form>
{% endblock %}
```

**`start_quiz.html`**

```html
{% extends "base.html" %}
{% block header%}
<style>
#question{
    background-color: #cefff0;
    border: solid #ceefe4 2px;
    font-size: 1.1em;
    color: #31101b;
    font-family: Tahoma, Geneva, sans-serif;
    margin-top: 2em;
    padding: 0.2em;
}
#choices{
    border: 1px solid  #ceefe4;
    background-color: white;
    font-family: Tahoma, Geneva, sans-serif;
    padding: 0.5em;
    padding-left: 2em;
}
#code {
    font-family: "Lucida Console", Monaco, monospace;
    padding: 0.2em;
    font-size: 0.9em;
    white-space: pre;
    display: block;
}
</style>

{% endblock %}

{% block content %}
<h1>Welcome to Pareekshan</h1>
<div>
    <p>Hello {{ session['username'] }},</p>
    We are going to have 10 questions. we have two buttons, "next" and "Lets Evaluate".
    You can go to the next question by clicking "next" and end the session by clicking "Lets Evaluate".
</div>

    <a type="button" id="start" value="Lets Start the Test" >Lets Start the Test</a>
<script>
    $().ready(function(){
        var sols = {};

        var questions = {{questions}};
        for (a in questions){
            console.info(questions[a]);
            sols[questions[a]] = "";
        }
        sols = JSON.stringify(sols);
        console.log(sols);
        sessionStorage.setItem("sols",sols);
        var meta1 = JSON.parse(window.sessionStorage.getItem("sols"));
        console.log("meta 1", meta1);
        sessionStorage.setItem("quest", JSON.stringify(questions));

        var quest = JSON.parse(sessionStorage.quest);
        console.log("Quest", quest);
        $("#start").attr('href', '/one_q?q_id=' + quest[0]);

    });

</script>
{% endblock %}
```

### Redirect

Many a times, we need to redirect the users to another url after processing is completed,  Flask provides us `redirect` method to achieve just that, its syntax is as follows

```python
Flask.redirect(location, statuscode, response)

```
Where
- location: URL where response should be redirected

- statuscode: Status code which should be sent to browser, defaults is `302`.

- response: parameter is used to instantiate response.

We have already used it in previous `app.py` in the following funciton

```python
@app.route("/check_user", methods=["POST"])
def check_user():
    if "username" in session:
        pass

    topic = request.form.get("topic")
    username = request.form.get("username")
    session.clear()
    session['username'] = username
    print(username, topic)
    return redirect('/start_quiz?topic={topic}'.format(
                    topic=topic))
```

### Message Flashing

Flask uses `flash` function to provide feedback to the user. It can be used to inform users about task status, or login status etc without reloading the current page. In our example we are going to create a login page and use the `flash` to convey the messages.

We had to change few things to achieve it. 

**`base.html`**

Following code has been addded to base.html, were we want the messages to display.

```html
{% with messages = get_flashed_messages() %}
  {% if messages %}
    <ul class=flashes>
    {% for message in messages %}
      <li>{{ message }}</li>
    {% endfor %}
    </ul>
  {% endif %}
{% endwith %}
        
```

**`app.py`**

```python
@app.route('/login', methods=['GET', 'POST'])
def login():
    error = None
    if request.method == 'POST':
        if request.form['username'] != 'nirankari' or \
                request.form['password'] != 'ajar_amar':
            error = 'Invalid credentials'
            flash(error)
        else:
            flash('Successfully logged in.')
            return redirect(url_for('home'))
    return render_template('login.html')
```

Now, what will happen, if user credentials are invalid than "Invalid credentials" message is displayed at top of login screen and if successfully logged in then message "Successfully logged in" message is displayed.

One issue we can see is that in current implementation, we do not have method to distinguish between error, info and other messages. Let implement it in version "003"

Good thing is that developers at "Flash" have already taken care of this scenario. We will be updating same files again to accomodate it.

```python
flash('Invalid credentials', 'error')
```

**`base.html`**

Following code has been addded to base.html, were we want the messages to display.

```html
{% with messages = get_flashed_messages(with_categories=true) %}
  {% if messages %}
    <ul class=flashes>
    {% for category, message in messages %}
      <li class="{{ category }}">{{ message }}</li>
    {% endfor %}
    </ul>
  {% endif %}
{% endwith %}        
```

**`app.py`**

```python
@app.route('/login', methods=['GET', 'POST'])
def login():
    if request.method == 'POST':
        if request.form['username'] != 'nirankari' or \
                request.form['password'] != 'ajar_amar':
            flash('Invalid credentials', 'error')
        else:
            flash('Successfully logged in.', 'info')
            return redirect(url_for('home'))
    return render_template('login.html')
```

We may wish to update `css` files to color code various types of messages in the base.html file. Another scenario, which can happen is one might wish to have only errors displayed, we can achieve it as shown below

**`base.html`**

```python
{% with errors = get_flashed_messages(category_filter=["error"]) %}
{% if errors %}
<div class="alert-message block-message error">
  <a class="close" href="#">×</a>
  <ul>
    {%- for msg in errors %}
    <li>{{ msg }}</li>
    {% endfor -%}
  </ul>
</div>
{% endif %}
{% endwith %}
```

### File Uploading

The basic principle of file uploads works as follows:

- A `<form>` tag is marked with `enctype=multipart/form-data` and an `<input type=file>` is added to the form.
- The application accesses the file from the files dictionary on the request object.
- Use the `save()` method of the file to save the file permanently somewhere on the filesystem.

Lets create a form which allows us to register users and let them save their photo's. We need to create a new page with a from which contains input file type `<input type="file" name="user_photo">` and the form should have attribute `enctype="multipart/form-data"` as shown below

**register.html**
```html
{% extends "base.html" %}

{% block content %}

      <h1>!!!Welcome to Pareeksha !!!</h1>
      <h2>Please login to proceed ...</h2>

      <form action="" method="post"  enctype="multipart/form-data">
         <dl>
            <dt>Username:</dt>

            <dd>
               <input type="text" name="username"
                  value="{{request.form.username }}">
            </dd>

            <dt>Password:</dt>
            <dd><input type="password" name="password"></dd>
            <dt>Photo:</dt>
            <dd><input type="file" name="user_photo"></dd>
         </dl>
         <p><input type="submit" value="upload"></p>
      </form>
{% endblock %}
```

Also we need to add the `app.py` with user registration code, I have added the following function to achieve it. 

In [None]:
@app.route('/register', methods=['GET', 'POST'])
def register():
    if request.method == 'POST':
        try:
            username = request.form.get("username", None)
            password = request.form.get("password", None)
            photo = request.files.get('user_photo', None)
            if None in [username, password, photo]:
                flash("Something is missing", "error")
                return render_template('register.html')
            ext = os.path.splitext(photo.filename)[1]
            new_filename = secure_filename(uuid.uuid4().hex + ext)
            photo.save(os.path.join("static/uploads/",
                                    new_filename))
            user = Users.query.filter(
                Users.name == username).all()
            if user:
                flash("User already found", "error")
                return render_template('register.html')
            user = Users(username, password, new_filename)
            db.session.add(user)
            db.session.commit()
            flash('user registered successfully', "info")
            return redirect(url_for('login'))
        except Exception as e:
            flash("Error: {err}".format(e), "error")
    else:
        return render_template('register.html')

### Authentication and Authorization

- **Authentication** is the process of verifying who you are. When you log on to a PC with a user name and password you are authenticating.
    - Authentication is used by a server when the server needs to know exactly who is accessing their information or site.
    - Authentication is used by a client when the client needs to know that the server is system it claims to be.
    - In authentication, the user or computer has to prove its identity to the server or client.
    - Usually, authentication by a server entails the use of a user name and password. Other ways to authenticate can be through cards, retina scans, voice recognition, and fingerprints.
    - Authentication by a client usually involves the server giving a certificate to the client in which a trusted third party such as Verisign or Thawte states that the server belongs to the entity (such as a bank) that the client expects it to.
    - Authentication does not determine what tasks the individual can do or what files the individual can see. Authentication merely identifies and verifies who the person or system is.


- **Authorization** is the process of verifying that you have access to something. Gaining access to a resource (e.g. directory on a hard disk) because the permissions configured on it allow you access is authorization.
    - Authorization is a process by which a server determines if the client has permission to use a resource or access a file.
    - Authorization is usually coupled with authentication so that the server has some concept of who the client is that is requesting access.
    - The type of authentication required for authorization may vary; passwords may be required in some cases but not in others.
    - In some cases, there is no authorization; any user may be use a resource or access a file simply by asking for it. Most of the web pages on the Internet require no authentication or authorization.

We can either build our own authentication or use third party authentication tool.

#### Inhouse authentication

We have created a new decorator `login_required` in the below code, which takes care of our authentication, what is does not cater is `Authorization`. We can either create our own 

In [None]:
#!/usr/bin/env python
# coding=utf-8
from flask import Flask, render_template, request, url_for, redirect
from flask import session, flash, make_response
from flask_sqlalchemy import SQLAlchemy
from sqlalchemy import ForeignKey
from sqlalchemy.orm import relationship
from sqlalchemy.sql.expression import func
from werkzeug import secure_filename
import uuid
import os
from werkzeug.security import generate_password_hash, check_password_hash
from functools import wraps
from utils import get_rand_string


app = Flask(__name__)
app.secret_key = get_rand_string(15, 20)
app.config['SQLALCHEMY_DATABASE_URI'] = 'sqlite:///db/questions.sqlite'
db = SQLAlchemy(app)


class Users(db.Model):
    __tablename__ = "users"
    id = db.Column(db.Integer, primary_key=True)
    name = db.Column(db.String)
    password_hash = db.Column(db.String)
    filename = db.Column(db.String)

    def __init__(self, name=None, password=None, filename=None):
        if None not in [name, password, filename]:
            self.name = name
            self.password = password
            self.filename = filename

    def validate_password(self, _password):
        return check_password_hash(self.password_hash, _password)

    @property
    def password(self):
        return self.password_hash

    @password.setter
    def password(self, password):
        self.password_hash = generate_password_hash(password)


class Topics(db.Model):
    __tablename__ = "topics"
    id = db.Column(db.Integer, primary_key=True)
    name = db.Column(db.String)
    questions = relationship("Questions", back_populates="topics")


class Questions(db.Model):
    __tablename__ = "questions"
    id = db.Column(db.Integer, primary_key=True)
    question = db.Column(db.String)
    topics_id = db.Column(db.Integer, ForeignKey('topics.id'))
    topics = relationship("Topics", back_populates="questions")
    choices = relationship("Choice", back_populates="questions")


class Choice(db.Model):
    __tablename__ = "choice"
    id = db.Column(db.Integer, primary_key=True)
    question_id = db.Column(db.Integer, ForeignKey('questions.id'))
    questions = relationship("Questions", back_populates="choices")
    choice = db.Column(db.String)
    correct = db.Column(db.Boolean)


def get_topics():
    result = Topics.query.with_entities(Topics.name).all()
    result = [r for r, in result]
    print(result)
    return result


def login_required(f):
    @wraps(f)
    def wrap(*args, **kwargs):
        if not session.get('loggedIn', False):
            print("redirecting to login")
            return redirect(url_for("login"))
        print(session.get('loggedIn', False))
        return f(*args, **kwargs)
    return wrap


@app.route('/register', methods=['GET', 'POST'])
def register():
    if request.method == 'POST':
        username = request.form.get("username", None)
        password = request.form.get("password", None)
        photo = request.files.get('user_photo', None)
        if None in [username, password, photo]:
            flash("Something is missing", "error")
            return render_template('register.html')
        ext = os.path.splitext(photo.filename)[1]
        new_filename = secure_filename(uuid.uuid4().hex + ext)
        photo.save(os.path.join("static/uploads/",
                                new_filename))
        user = Users.query.filter(
            Users.name == username).first()
        if user:
            flash("User already found", "error")
            return render_template('register.html')
        user = Users(username, password, new_filename)
        db.session.add(user)
        db.session.commit()
        flash('user registered successfully', "info")
        return redirect(url_for('login'))
    else:
        return render_template('register.html')


@app.route("/logout")
def logout():
    session['loggedIn'] = False
    return redirect(url_for('login'))


@app.route('/login', methods=['GET', 'POST'])
def login():
    if request.method == 'POST':
        username = request.form.get('username', None)
        passwd = request.form.get('password', None)
        user = Users.query.filter(
            Users.name == username).first()
        if None in (username, passwd, user):
            flash('Invalid credentials !!!', 'error')
        elif not user.validate_password(passwd):
            flash('Invalid credentials', 'error')
        else:
            session.clear()
            print("Finally in else of login")
            session['loggedIn'] = True
            session['username'] = user.name
            response = make_response(redirect(url_for('home')))
            response.headers["authorization"] = user.name
            response.set_cookie('user', user.name)
            flash('Successfully logged in.', 'info')
            return response
    return render_template('login.html')


@login_required
@app.route("/")
def home():
    topics = Topics.query.with_entities(Topics.id, Topics.name).all()
    topic_details = [r for r in topics]
    return render_template("index.html",
                           topics=topic_details,
                           username=session['username'])


@app.route("/check_user", methods=["POST"])
def check_user():
    topic = request.form.get("topic")
    return redirect('/start_quiz?topic={topic}'.format(
                    topic=topic))


@app.route("/moolyaankan", methods=["POST"])
@login_required
def moolyaankan():
    print("moolyaankan")
    result = {
        "correct": 0,
        "wrong": 0
    }
    for quest, sel in request.form.items():
        # !!! Bad coding practice, will fix in later versions !!!
        # Lets validate if the selected answers are correct or not.
        question = Questions.query.filter(
            Questions.id == quest).first()
        print(question)
        got_it = False
        for ch in question.choices:
            if ch.correct and ch.id == int(sel):
                print("!!! Hurrey !!!")
                got_it = True
        if got_it:
            result["correct"] += 1
        else:
            result["wrong"] += 1
    return render_template("result.html", correct=result["correct"],
                           wrong=result["wrong"])


@app.route("/one_q", methods=['GET'])
@login_required
def one_q():
    print(request.args)
    q_id = request.args.get("q_id")
    question = Questions.query.filter(Questions.id == q_id).first()
    return render_template("one_q.html", question=question)


@app.route("/start_quiz", methods=['GET'])
@login_required
def start_quiz():
    no = 5
    topic_id = request.args.get('topic')
    questions = Questions.query.order_by(
        func.random()).with_entities(Questions.id).filter(
        Questions.topics_id == topic_id).limit(no)

    quest = [q[0] for q in questions]

    return render_template("start_quiz.html", questions=quest,
                           username=session['username'])


@login_required
@app.route("/show_result", methods=['POST'])
def show_result():
    selections = request.form
    correct_answers = 0
    for k, v in selections.items():
        if k.startswith("choice_"):
            print(Choice.query.filter(Choice.id == v).first().id)
            if Choice.query.filter(Choice.id == v).first().correct == 1:
                correct_answers += 1
            print(k, v)
    return "Thanks a lot:<br>Total correct Answers= " + str(correct_answers)


if __name__ == "__main__":
    app.run(debug=True)


#### Best practices for authentication and authorization:

- Hash your database passwords. Don’t store them in plain text.
- Use both autherization and authentication
- Secure the connection, use HTTPS.
- Log the failed login attempts.
- Use captcha to prevent brute force of logins.
- We can also use `OpenID` for Authentication using extension `flask-openid`

### Reference

- http://flask.pocoo.org/docs/
- https://en.wikipedia.org/wiki/HTTP_cookie
- https://www.bu.edu/tech/about/security-resources/bestpractice/auth/