# Restful Api & Flask Assignment

#     Theory Questions

**Q 1.  What is a RESTful API?**

**Ans.**  RESTful API (Representational State Transfer API) is a web service architecture that enables communication between client and server over the HTTP protocol using stateless operations. It treats server-side data as resources, each identified by a unique URI, and allows clients to perform standard operations using HTTP methods such as:

- GET – Retrieve a resource
- POST – Create a new resource
- PUT – Update an existing resource
- DELETE – Remove a resource

RESTful APIs typically exchange data in JSON format and follow a uniform interface, promoting simplicity, scalability, and maintainability in distributed systems.

**Q 2.  Explain the concept of API specification.**

**Ans.** An API specification is a formal, structured document or standard that defines how software components should interact through an Application Programming Interface (API).

Key Elements of an API Specification:

1. Endpoints & Routes: Defines the available URLs (routes) that clients can use to access or manipulate resources.
2. HTTP Methods: Specifies the operations allowed on each endpoint, such as GET, POST, PUT, and DELETE.
3. Request Parameters: Details the query parameters, path variables, headers, and body content required or optional in a request.
4. Request & Response Formats: Defines the data structure (typically JSON or XML) for both input (request) and output (response), including field types and validation rules.
5. Authentication & Authorization: Specifies how access is secured, e.g., using API keys, OAuth tokens, or JWT.
6. Error Handling: Describes standard error codes (e.g., 400, 401, 404, 500) and the format of error responses.

Why API Specifications Are Important:
- Ensure consistency and interoperability across systems
- Facilitate developer understanding and integration
- Support automated testing, documentation, and code generation
- Serve as a contract between backend developers, frontend developers, and third-party users

Common API Specification Standards:
- OpenAPI (Swagger) – Most widely used format for REST APIs
- RAML (RESTful API Modeling Language)
- API Blueprint
- gRPC Interface Definition Language (IDL) – for gRPC APIs

**Q 3. What is Flask, and why is it popular for building APIs**

**Ans.** Flask is a lightweight, open-source Python web framework used for building web applications and RESTful APIs. It is based on the Werkzeug WSGI toolkit and the Jinja2 template engine.

Why Flask Is Popular for Building APIs:
1. Lightweight and Minimalistic:
    - Flask is "micro" by design, meaning it provides the essentials without imposing structure or dependencies.
    - You only add what you need, making it ideal for simple or small-scale APIs.

2. Easy to Learn and Use
    - Flask has a clear, readable syntax and a gentle learning curve, especially for beginners in web development or Python.
    - Simple API routes can be created with just a few lines of code.

3. Flexible and Extensible
    - Flask doesn’t force a specific project layout or tools.
    - Developers can integrate any database, authentication system, or third-party library.

4. RESTful API Support
    - Flask makes it easy to define API endpoints, handle HTTP methods (GET, POST, etc.), and return JSON responses.
    - Libraries like Flask-RESTful and Flask-SQLAlchemy simplify API development even further.

5. Strong Community and Documentation
    - Flask has extensive community support, tutorials, and plugins.
    - Clear documentation helps developers implement advanced features.

**Q 4. What is routing in Flask.**

**Ans.** Routing in Flask is the process of mapping a URL to a specific function (called a view function) that will handle the request and return a response.

In simple terms, it tells Flask what to do when a user accesses a specific URL.

**Q 5. How do you create a simple Flask application?**

**Ans.** Here’s a step-by-step guide to creating a basic Flask app that runs on your local machine:

1. Install Flask: If Flask is not already installed, install it using pip:

pip install flask

2. Create the Application File: Create a Python file, e.g., app.py, and add the following code:

In [None]:
from flask import Flask

# Initialize the Flask application
app = Flask(__name__)

# Define a route
@app.route('/')
def home():
    return "Hello, Flask!"

# Run the application
if __name__ == '__main__':
    app.run(debug=True)


3. Run the Flask App: In your terminal or command prompt, navigate to the folder containing app.py, then run:

python app.py

You’ll see output like:

 * Running on http://127.0.0.1:5000/ (Press CTRL+C to quit)

**Q 6.  What are HTTP methods used in RESTful APIs?**

**Ans.** HTTP Methods Used in RESTful APIs : In RESTful APIs, HTTP methods define the type of operation a client wants to perform on a resource. Each method has a specific semantic meaning and is used according to the REST principles.

Common HTTP Methods:

| Method    | Purpose                            | Description                                                               |
| --------- | ---------------------------------- | ------------------------------------------------------------------------- |
| `GET`     | **Retrieve** data                  | Used to fetch data from the server (e.g., list users, get product info).  |
| `POST`    | **Create** a new resource          | Sends data to the server to create a new resource (e.g., add a new user). |
| `PUT`     | **Update** an existing resource    | Replaces an existing resource with new data (complete update).            |
| `PATCH`   | **Modify** part of a resource      | Partially updates a resource (e.g., change only a user's email).          |
| `DELETE`  | **Remove** a resource              | Deletes a specified resource from the server.                             |
| `OPTIONS` | Describe communication options     | Used to determine supported methods or CORS settings for a resource.      |
| `HEAD`    | Same as GET, without response body | Useful for checking if a resource exists or for testing.                  |


Example: User Resource

Assume we have a REST API for managing users:

| Action                 | HTTP Method | Endpoint   |
| ---------------------- | ----------- | ---------- |
| Get all users          | `GET`       | `/users`   |
| Get user by ID         | `GET`       | `/users/1` |
| Create a new user      | `POST`      | `/users`   |
| Update user info       | `PUT`       | `/users/1` |
| Partially update email | `PATCH`     | `/users/1` |
| Delete a user          | `DELETE`    | `/users/1` |


**Q 7. What is the purpose of the @app.route() decorator in Flask**

**Ans.** The @app.route() decorator in Flask is used to bind a specific URL path to a Python function. This function is called a view function and is executed when a user accesses that URL in the browser or makes an HTTP request to it.

Key Purposes:

- Defines a Route: It tells Flask which URL should trigger which function.
Handles HTTP Requests: It allows you to specify which HTTP methods (GET, POST, etc.) are accepted at that route.

In [None]:
from flask import Flask

app = Flask(__name__)

@app.route('/')
def home():
    return "Welcome to the Home Page"


**Q 8.  What is the difference between GET and POST HTTP methods?**

**Ans.** The GET and POST methods are the two most commonly used HTTP request methods in web applications and RESTful APIs. They serve different purposes and behave differently.

| Feature          | `GET`                                  | `POST`                      |
| ---------------- | -------------------------------------- | --------------------------- |
| Purpose          | Retrieve data                          | Submit or send data         |
| Data location    | URL query string                       | Request body                |
| Visibility       | Visible in browser URL                 | Hidden from URL             |
| Secure for data? | ❌ No (not suitable for sensitive data) | ✅ Yes (more secure)         |
| Idempotent       | ✅ Yes                                  | ❌ No                        |
| Use cases        | Fetching info                          | Creating or processing data |


**Q 9.  How do you handle errors in Flask APIs?**

**Ans.** Error handling in Flask is essential for building robust, user-friendly, and debuggable APIs. Flask provides multiple ways to catch and respond to errors gracefully.

 1. Using @app.errorhandler() Decorator

You can define custom responses for specific HTTP error codes (e.g., 404, 500):

In [None]:
from flask import Flask, jsonify

app = Flask(__name__)

@app.errorhandler(404)
def not_found(error):
    return jsonify({'error': 'Resource not found'}), 404

@app.errorhandler(500)
def server_error(error):
    return jsonify({'error': 'Internal server error'}), 500


2. Handling Application-Level Errors with try-except

You can catch exceptions in your route logic:

In [None]:
@app.route('/divide')
def divide():
    try:
        result = 10 / 0
        return jsonify({'result': result})
    except ZeroDivisionError:
        return jsonify({'error': 'Division by zero is not allowed'}), 400


3. Using Flask’s abort() Function

You can abort a request with a specific status code:

In [None]:
from flask import abort

@app.route('/secure')
def secure():
    abort(401)  # Unauthorized access


4. Custom Exception Handling

Define custom exceptions for domain-specific errors:

In [None]:
class InvalidUsage(Exception):
    status_code = 400

    def __init__(self, message):
        super().__init__()
        self.message = message

@app.errorhandler(InvalidUsage)
def handle_invalid_usage(error):
    response = jsonify({'error': error.message})
    return response, error.status_code


5. Logging Errors (Optional for Debugging)

You can log errors using Python's logging module:

In [None]:
import logging

logging.basicConfig(level=logging.ERROR)

@app.errorhandler(500)
def internal_error(error):
    logging.error(f"Server Error: {error}")
    return jsonify({'error': 'Unexpected error occurred'}), 500


**Q 10. How do you connect Flask to a SQL database?**

**Ans.** To connect Flask to a SQL database, you typically use an ORM (Object Relational Mapper) like SQLAlchemy, or Flask-SQLAlchemy, which integrates SQLAlchemy with Flask and simplifies database operations.

> Steps to Connect Flask to a SQL Database

1. Install Flask-SQLAlchemy

In [None]:
pip install flask flask_sqlalchemy

2. Basic Flask App with SQL Database Connection

In [None]:
from flask import Flask
from flask_sqlalchemy import SQLAlchemy

app = Flask(__name__)

# Set the database URI (Example: SQLite)
app.config['SQLALCHEMY_DATABASE_URI'] = 'sqlite:///mydatabase.db'  # For SQLite
# For PostgreSQL: 'postgresql://username:password@localhost/dbname'
# For MySQL: 'mysql+pymysql://username:password@localhost/dbname'

# Initialize the database
db = SQLAlchemy(app)

# Define a model (table)
class User(db.Model):
    id = db.Column(db.Integer, primary_key=True)
    username = db.Column(db.String(80), unique=True, nullable=False)
    email = db.Column(db.String(120), unique=True, nullable=False)

    def __repr__(self):
        return f'<User {self.username}>'

# Run this once to create the database and table
@app.before_first_request
def create_tables():
    db.create_all()

@app.route('/')
def home():
    return "Database connected!"

if __name__ == '__main__':
    app.run(debug=True)


3. Interacting with the Database

In [None]:
# Add a user
new_user = User(username='john', email='john@example.com')
db.session.add(new_user)
db.session.commit()

# Query users
users = User.query.all()


Supported Databases: Flask-SQLAlchemy supports all major SQL databases:
- SQLite
- PostgreSQL
- MySQL / MariaDB
- Oracle
- MSSQL

**Q 11.  What is the role of Flask-SQLAlchemy?**

**Ans.** Flask-SQLAlchemy is an extension for Flask that adds SQLAlchemy integration to Flask applications. It acts as a bridge between Flask and relational databases, making it easier to interact with SQL databases using Python objects (ORM).

| Feature                  | Role of Flask-SQLAlchemy                    |
| ------------------------ | ------------------------------------------- |
| ORM                      | Maps Python classes to database tables      |
| Configuration Management | Simplifies DB setup via Flask config        |
| Session Handling         | Manages transactions and connections        |
| Querying Interface       | Easy, object-based queries                  |
| Schema Management        | Create/drop tables programmatically         |
| Flask Integration        | Works natively with Flask's request context |


**Q 12. What are Flask blueprints, and how are they useful?**

**Ans.** Flask Blueprints are a way to organize your Flask application into modular, reusable components. They allow you to split your app into multiple logical parts — like APIs, admin panels, authentication, etc. — while still being part of the same main application.

> Why Blueprints Are Useful

| Benefit                   | Description                                                           |
| ------------------------- | --------------------------------------------------------------------- |
| **Modularity**            | Helps break large applications into smaller, manageable files/modules |
| **Reusability**           | A blueprint can be reused across multiple apps or projects            |
| **Clean Organization**    | Separates routes, views, templates, and static files logically        |
| **Scalability**           | Makes it easier to scale and maintain large applications              |
| **Avoid Route Conflicts** | Namespaces can be added to group related routes                       |


**Q 13.  What is the purpose of Flask's request object?**

**Ans.** The request object in Flask is used to access incoming request data sent by a client (such as a browser, mobile app, or another server). It provides a convenient interface to retrieve all kinds of data from an HTTP request.

> Main Uses of request Object

| Use Case                        | Attribute            | Example                             |
| ------------------------------- | -------------------- | ----------------------------------- |
| Get query parameters (URL args) | `request.args`       | `request.args.get('search')`        |
| Get form data (POST forms)      | `request.form`       | `request.form['username']`          |
| Get JSON data                   | `request.get_json()` | `request.get_json()['email']`       |
| Get request method              | `request.method`     | `'POST'`, `'GET'`, etc.             |
| Get headers                     | `request.headers`    | `request.headers['User-Agent']`     |
| Get cookies                     | `request.cookies`    | `request.cookies.get('session_id')` |
| Get file uploads                | `request.files`      | `request.files['image']`            |
| Get URL path                    | `request.path`       | `'/login'`                          |
| Get full URL                    | `request.url`        | `'http://localhost:5000/login'`     |


**Q 14. How do you create a RESTful API endpoint using Flask?**

**Ans.** Creating a RESTful API in Flask involves defining routes (@app.route) that respond to HTTP methods (GET, POST, etc.) and return data (usually in JSON format).

Step-by-Step Example

1. Install Flask (if not done):

In [None]:
pip install flask

2. Create the Flask App with a RESTful Endpoint

In [None]:
from flask import Flask, jsonify, request

app = Flask(__name__)

# Sample data store
users = [
    {"id": 1, "name": "Alice"},
    {"id": 2, "name": "Bob"}
]

# GET endpoint: Retrieve all users
@app.route('/api/users', methods=['GET'])
def get_users():
    return jsonify(users)

# POST endpoint: Add a new user
@app.route('/api/users', methods=['POST'])
def add_user():
    data = request.get_json()
    new_user = {
        "id": len(users) + 1,
        "name": data['name']
    }
    users.append(new_user)
    return jsonify(new_user), 201

# GET by ID: Get a single user
@app.route('/api/users/<int:user_id>', methods=['GET'])
def get_user(user_id):
    user = next((u for u in users if u['id'] == user_id), None)
    if user:
        return jsonify(user)
    return jsonify({"error": "User not found"}), 404

# DELETE: Remove a user by ID
@app.route('/api/users/<int:user_id>', methods=['DELETE'])
def delete_user(user_id):
    global users
    users = [u for u in users if u['id'] != user_id]
    return jsonify({"message": "User deleted"})

# Run the app
if __name__ == '__main__':
    app.run(debug=True)


Key RESTful Elements

| Endpoint          | Method   | Purpose             |
| ----------------- | -------- | ------------------- |
| `/api/users`      | `GET`    | Retrieve all users  |
| `/api/users`      | `POST`   | Create a new user   |
| `/api/users/<id>` | `GET`    | Get a specific user |
| `/api/users/<id>` | `DELETE` | Delete a user       |


**Q 15.  What is the purpose of Flask's jsonify() function?**

**Ans.** The jsonify() function in Flask is used to convert Python data structures into JSON format and return them as a proper HTTP response.

> Why Use jsonify() Instead of json.dumps()?

While json.dumps() just converts Python data to a JSON string, jsonify() does more:

| Feature                    | `jsonify()`               | `json.dumps()`                |
| -------------------------- | ------------------------- | ----------------------------- |
| Sets `Content-Type` header | ✅ `application/json`      | ❌ No                          |
| Returns a response object  | ✅ Flask `Response` object | ❌ Just a string               |
| UTF-8 support              | ✅ Yes                     | ⚠️ Might need manual handling |
| Flask integration          | ✅ Built-in Flask method   | ❌ Manual integration needed   |


**Q 16.  Explain Flask’s url_for() function?**

**Ans.** The url_for() function in Flask is used to dynamically build URLs for routes (view functions) by referencing their function names rather than hardcoding URLs.

**Purpose of url_for():**
- Generates correct and complete URLs
- voids hardcoding paths in your templates and views
- Makes your app more maintainable and flexible
- Supports passing parameters to dynamic routes

| Feature               | Description                                     |
| --------------------- | ----------------------------------------------- |
| Route resolution      | Generates URLs from view function names         |
| Safer than hardcoding | Prevents broken links if route paths change     |
| Template-friendly     | Usable in HTML templates with `{{ url_for() }}` |
| Parameter support     | Handles dynamic segments and query strings      |


**Q 17.  How does Flask handle static files (CSS, JavaScript, etc.)?**

**Ans.** Flask automatically serves static files (like CSS, JavaScript, and images) from a special folder named static/ in your project directory.

1. Default Static Folder Structure:

In [None]:
your_project/
│
├── app.py
├── static/
│   ├── style.css
│   └── script.js
├── templates/
│   └── index.html


2. Referencing Static Files in HTML Templates: In Jinja2 templates, use the url_for('static', filename='...') function:

In [None]:
<!DOCTYPE html>
<html>
<head>
  <link rel="stylesheet" href="{{ url_for('static', filename='style.css') }}">
</head>
<body>
  <script src="{{ url_for('static', filename='script.js') }}"></script>
</body>
</html>


In [None]:
3. Serving Static Files Automatically: Flask serves static files automatically when running in development mode:

In [None]:
python app.py
# Access: http://localhost:5000/static/style.css

4. Changing the Static Folder (Optional): You can customize the static folder and URL:

In [None]:
app = Flask(__name__, static_folder='assets', static_url_path='/content')

Summary:

| Feature             | Description                                    |
| ------------------- | ---------------------------------------------- |
| Default folder      | `static/`                                      |
| Default access path | `/static/<filename>`                           |
| Template reference  | `url_for('static', filename='style.css')`      |
| Auto-serving        | Built-in when using Flask's development server |
| Customization       | Can override folder name and URL prefix        |


**Q 18.  What is an API specification, and how does it help in building a Flask API?**

**Ans.** An API specification is a detailed, formal document that defines how a client can interact with an API. It describes endpoints, methods, data formats, parameters, responses, and error codes.

Think of it as a contract or blueprint between the API provider and the client.

> Common API Specification Formats: 

- OpenAPI (Swagger) – Most widely used for REST APIs
- RAML – RESTful API Modeling Language
- API Blueprint – Markdown-based
- Postman Collections – Practical for testing, less formal

How an API Specification Helps in Building a Flask API

| Benefit                      | Description                                                                                               |
| ---------------------------- | --------------------------------------------------------------------------------------------------------- |
| ✅ **Clarity and Planning**   | Helps design your API endpoints, parameters, and expected behavior **before coding**.                     |
| ✅ **Consistency**            | Ensures all developers follow the same structure and naming conventions.                                  |
| ✅ **Auto-Documentation**     | Tools like **Swagger UI** or **Redoc** can generate **interactive docs** from the spec.                   |
| ✅ **Faster Development**     | Frontend and backend teams can **work in parallel** using the spec as a reference.                        |
| ✅ **Testing and Validation** | Enables automatic validation of requests and responses using tools like **Flask-RESTX** or **Connexion**. |
| ✅ **Client Code Generation** | Can generate SDKs or client libraries in various languages from the spec.                                 |


**Q 19. What are HTTP status codes, and why are they important in a Flask API?**

**Ans.** HTTP status codes are three-digit numbers returned by a web server to indicate the result of a client's request. They help the client (e.g., browser, mobile app, or API consumer) understand what happened on the server side.

In [None]:
 Why Are They Important in a Flask API?

In [None]:
| Benefit                           | Description                                                                |
| --------------------------------- | -------------------------------------------------------------------------- |
| 📖 **Communicate Outcome**        | Inform clients if a request was successful, invalid, unauthorized, etc.    |
| 🚫 **Handle Errors Gracefully**   | Allow clients to react properly to issues (e.g., show error messages).     |
| 🔒 **Support Security**           | Return proper codes like `401 Unauthorized` or `403 Forbidden`.            |
| 🧪 **Aid in Testing & Debugging** | Help identify problems quickly via tools like Postman or browser DevTools. |
| 🤝 **Standard Compliance**        | Makes your API predictable and RESTful, improving client compatibility.    |


Common HTTP Status Codes in Flask APIs:

| Code  | Name                  | Meaning / When to Use                                       |
| ----- | --------------------- | ----------------------------------------------------------- |
| `200` | OK                    | Request succeeded (default for `GET`)                       |
| `201` | Created               | Resource was successfully created (`POST`)                  |
| `204` | No Content            | Success, but no data to return (`DELETE` or empty response) |
| `400` | Bad Request           | Client sent invalid data                                    |
| `401` | Unauthorized          | Authentication required or failed                           |
| `403` | Forbidden             | Authenticated, but not allowed to access the resource       |
| `404` | Not Found             | Resource does not exist                                     |
| `409` | Conflict              | Duplicate entry or resource conflict                        |
| `500` | Internal Server Error | Server encountered an unexpected error                      |


In [None]:
Using Status Codes in Flask:

In [None]:
from flask import Flask, jsonify, request

app = Flask(__name__)

@app.route('/api/data', methods=['POST'])
def create_data():
    data = request.get_json()
    if not data:
        return jsonify({'error': 'Invalid data'}), 400  # Bad Request

    # Simulate creation
    return jsonify({'message': 'Created'}), 201  # Created


**Q 20. How do you handle POST requests in Flask?**

**Ans.** n Flask, a POST request is typically used to send data to the server, such as submitting a form or creating a new record in a database.

 1. Basic POST Request Handler

In [None]:
from flask import Flask, request, jsonify

app = Flask(__name__)

@app.route('/submit', methods=['POST'])
def submit():
    data = request.get_json()  # Get JSON data from request body
    name = data.get('name')
    return jsonify({'message': f'Hello, {name}!'}), 201  # Created


 To test this, send a POST request with JSON like:

In [None]:
{
  "name": "Alice"
}


2. Handling Form Data (From HTML Form):

In [None]:
@app.route('/register', methods=['POST'])
def register():
    username = request.form['username']
    email = request.form['email']
    return f"Registered {username} with {email}"


In [None]:
HTML form would look like:

In [None]:
<form method="POST" action="/register">
  <input name="username">
  <input name="email">
  <button type="submit">Register</button>
</form>


3. File Uploads:

In [None]:
@app.route('/upload', methods=['POST'])
def upload_file():
    file = request.files['file']
    file.save(f"./uploads/{file.filename}")
    return "File uploaded successfully"


Request Sources in Flask:

| Source       | Flask Attribute      | Example                      |
| ------------ | -------------------- | ---------------------------- |
| JSON Body    | `request.get_json()` | `request.get_json()['name']` |
| Form Data    | `request.form`       | `request.form['email']`      |
| File Uploads | `request.files`      | `request.files['file']`      |
| Query Params | `request.args`       | `request.args.get('page')`   |


**Q 21. How would you secure a Flask API?**

**Ans.** Securing a Flask API is critical to prevent unauthorized access, data breaches, and misuse of resources. Flask is lightweight, so you have to explicitly implement key security measures.

1. Use Authentication: Token-Based Authentication (e.g., JWT)
- Require users to include a token in request headers:

In [None]:
Authorization: Bearer <token>

Use libraries like PyJWT or Flask-JWT-Extended.


In [None]:
from flask_jwt_extended import JWTManager, jwt_required

app.config['JWT_SECRET_KEY'] = 'your-secret-key'
jwt = JWTManager(app)

@app.route('/secure-data')
@jwt_required()
def secure_data():
    return jsonify({"data": "You are authorized"})


2. Use HTTPS (SSL/TLS)2. Use HTTPS (SSL/TLS):
    - Always deploy your API over HTTPS in production.
    - Use tools like Let's Encrypt + Nginx or use platforms like Heroku, AWS, or Azure that support SSL easily.

3. Validate Input Data:
   - Never trust user input — always validate.
   - Use libraries like:
        - marshmallow
        - pydantic
        - cerberus

In [None]:
from marshmallow import Schema, fields, ValidationError

class UserSchema(Schema):
    name = fields.Str(required=True)
    email = fields.Email(required=True)


4. Prevent Cross-Site Scripting (XSS) & CSRF: 
    - For APIs, CSRF protection is less critical if you're not serving HTML forms, but it matters in web forms.
    - Use Flask's Flask-WTF for CSRF tokens or implement strict CORS policies.

5. Implement Rate Limiting: 
    - Prevent abuse (DoS/brute force) by limiting request rate.
    - Use Flask-Limiter:

In [None]:
from flask_limiter import Limiter

limiter = Limiter(app, default_limits=["100 per hour"])


6. Restrict CORS Access:
    - Use Flask-CORS to control which origins can access your API:

In [None]:
from flask_cors import CORS
CORS(app, origins=["https://yourfrontend.com"])


7. Use Proper HTTP Status Codes & Error Handling: 
    - Send 401 for unauthorized access.
    - Handle errors to avoid exposing stack traces in production.

In [None]:
@app.errorhandler(500)
def internal_error(e):
    return jsonify({"error": "Internal server error"}), 500


8. Secure Secrets & Configuration:
    - Never hardcode secrets in your code.
    - Use environment variables or tools like python-dotenv.

In [None]:
import os
app.config['SECRET_KEY'] = os.getenv('SECRET_KEY')


9. Database & ORM Security: 
    - Use parameterized queries with SQLAlchemy to prevent SQL Injection.
    - Don’t expose internal database models directly.

In [None]:
Summary Checklist: 

| Security Feature     | Description                                     |
| -------------------- | ----------------------------------------------- |
| 🔐 Authentication    | Use JWT, OAuth, or session-based methods        |
| 🛡 Input Validation  | Sanitize and validate all incoming data         |
| 🌐 HTTPS             | Encrypt communication                           |
| 🚦 Rate Limiting     | Control abuse and overload                      |
| 🌍 CORS Control      | Limit API access to trusted domains             |
| 🧪 Error Handling    | Don’t leak internal errors                      |
| 🔑 Secret Management | Use environment variables for keys/tokens       |
| 🛠 Database Security | Prevent SQL injection & restrict model exposure |


**Q22. What is the significance of the Flask-RESTful extension?**

**Ans.** Flask-RESTful is an extension for Flask that simplifies the process of building RESTful APIs by adding support for:

- clean resource-based routing,
- automatic request parsing,
- and structured responses.

Why Use Flask-RESTful?

| Feature                         | Benefit                                                                |
| ------------------------------- | ---------------------------------------------------------------------- |
| 📦 **Class-Based Resources**    | Organize your API endpoints as classes instead of functions            |
| 📤 **Built-in Request Parsing** | Easy access to request data via `reqparse` or `request.get_json()`     |
| 📘 **Clean Code Structure**     | Encourages separation of logic (one class per resource)                |
| 🌐 **REST Convention Support**  | Automatically maps HTTP methods (`GET`, `POST`, etc.) to class methods |
| 🧩 **Easy Integration**         | Integrates smoothly with Flask and other extensions like SQLAlchemy    |


**Q 23. What is the role of Flask’s session object?**

**Ans.** The session object in Flask is used to store data across requests for a specific user — similar to how cookies work. It helps you keep track of user-specific data (like login status or preferences) between different HTTP requests.

*Key Features of session in Flask*

| Feature                      | Description                                                                   |
| ---------------------------- | ----------------------------------------------------------------------------- |
| 🧠 **User-Specific Storage** | Stores data that persists across multiple requests (e.g., logged-in user ID)  |
| 🔒 **Secure by Default**     | Data is stored in a cookie, **signed** with a secret key to prevent tampering |
| 🛠️ **Easy to Use**          | Acts like a Python dictionary (`session['key'] = value`)                      |


#     Practical Questions

**Q 1. How do you create a basic Flask application?**

**Ans.** Here’s how to build a simple Flask app from scratch that responds with “Hello, World!”

Step 1: Install Flask : Open your terminal or command prompt and run:

In [None]:
pip install flask

Step 2: Create Your Flask App File: Create a file named app.py and write the following code:

In [None]:
from flask import Flask

app = Flask(__name__)  # Initialize the Flask app

@app.route('/')  # Define a route for the root URL
def home():
    return 'Hello, World!'  # Response when the route is accessed

if __name__ == '__main__':
    app.run(debug=True)  # Run the app in debug mode


Step 3: Run the Flask App: In your terminal, navigate to the folder where app.py is located and run:

In [None]:
python app.py

Step 4: Open in Browser:  Visit this URL in your browser:

In [None]:
http://127.0.0.1:5000/

You’ll see:

In [None]:
Hello, World!

**Q 2.  How do you serve static files like images or CSS in Flask?**

**Ans.** Flask automatically serves static files (like CSS, JS, images, fonts, etc.) from a special folder named static/.

**1. Project Structure**

In [None]:
your_project/
│
├── app.py
├── static/
│   ├── style.css
│   └── logo.png
├── templates/
│   └── index.html


- All static files go inside the static/ directory.
- Flask makes them accessible via /static/<filename> URL path.

**2. Access Static Files in HTML Templates**    
- In a Jinja2 template (e.g., templates/index.html):

In [None]:
<!DOCTYPE html>
<html>
<head>
  <title>Flask Static Example</title>
  <link rel="stylesheet" href="{{ url_for('static', filename='style.css') }}">
</head>
<body>
  <h1>Welcome</h1>
  <img src="{{ url_for('static', filename='logo.png') }}" alt="Logo">
</body>
</html>


**3. Sample app.py**

In [None]:
from flask import Flask, render_template

app = Flask(__name__)

@app.route('/')
def home():
    return render_template('index.html')

if __name__ == '__main__':
    app.run(debug=True)


**Q 3. How do you define different routes with different HTTP methods in Flask?**

**Ans.** In Flask, you define routes using the @app.route() decorator and specify allowed HTTP methods like GET, POST, PUT, DELETE, etc.

**Basic Example with Different Methods:**

In [None]:
from flask import Flask, request, jsonify

app = Flask(__name__)

@app.route('/user', methods=['GET'])
def get_user():
    return jsonify({"message": "GET request received"}), 200

@app.route('/user', methods=['POST'])
def create_user():
    data = request.get_json()
    return jsonify({"message": "User created", "data": data}), 201


**Handling Multiple Methods in a Single Route**

In [None]:
@app.route('/item', methods=['GET', 'POST'])
def item():
    if request.method == 'GET':
        return jsonify({"message": "GET method"})
    elif request.method == 'POST':
        data = request.get_json()
        return jsonify({"message": "POST method", "received": data})


**Using Route Parameters**

In [None]:
@app.route('/product/<int:product_id>', methods=['GET', 'DELETE'])
def product(product_id):
    if request.method == 'GET':
        return jsonify({"product_id": product_id})
    elif request.method == 'DELETE':
        return jsonify({"message": f"Product {product_id} deleted"})


*Common HTTP Methods and Their Uses*

| Method   | Purpose                     |
| -------- | --------------------------- |
| `GET`    | Retrieve data               |
| `POST`   | Create a new resource       |
| `PUT`    | Update a resource (replace) |
| `PATCH`  | Update part of a resource   |
| `DELETE` | Remove a resource           |


**Q 4.  How do you render HTML templates in Flask?**

**Ans.** In Flask, you render HTML pages using the Jinja2 templating engine with the render_template() function. Templates are stored in a folder named templates/.

*1. Project Structure Example*

In [None]:
your_project/
├── app.py
├── templates/
│   └── index.html


*2. Create an HTML Template (templates/index.html)*

In [None]:
<!DOCTYPE html>
<html>
<head>
  <title>Welcome</title>
</head>
<body>
  <h1>Hello, {{ name }}!</h1>
</body>
</html>


> {{ name }} is a Jinja2 placeholder that will be filled from Flask.

*3. Render Template from Flask App (app.py)*

In [None]:
from flask import Flask, render_template

app = Flask(__name__)

@app.route('/')
def home():
    return render_template('index.html', name='Alice')  # Passing data to template

if __name__ == '__main__':
    app.run(debug=True)


*4. Passing Multiple Variables*

In [None]:
return render_template('index.html', name='Alice', age=30)


> In HTML:

In [None]:
<p>{{ name }} is {{ age }} years old.</p>

**Q 5.  How can you generate URLs for routes in Flask using url_for?**

**Ans.** Flask’s url_for() function is used to dynamically generate URLs for your view functions based on their function names, rather than hardcoding paths.

This makes your app more maintainable, modular, and error-resistant — especially when routes or parameters change.

1. Basic Usage

In [None]:
from flask import Flask, url_for

app = Flask(__name__)

@app.route('/home')
def home():
    return "Welcome Home"

@app.route('/')
def index():
    return f"Go to home: {url_for('home')}"


> url_for('home') returns: /home

2. With Route Parameters

In [None]:
@app.route('/user/<username>')
def profile(username):
    return f"User: {username}"

@app.route('/')
def index():
    return url_for('profile', username='john')


>  This generates: /user/john

3. Add Query Parameters

In [None]:
url_for('search', q='flask', page=2)
# Output: /search?q=flask&page=2


4. Use in HTML Templates

In [None]:
<a href="{{ url_for('home') }}">Home</a>


> Jinja2 templates support url_for the same way as in Python code.

**Q 6. How do you handle forms in Flask?**

**Ans.** Flask can handle HTML forms by receiving POST requests from the client and accessing form data via the request.form object.

*1. Create a Simple HTML Form:* Place this in templates/form.html:

In [None]:
<!DOCTYPE html>
<html>
<head>
  <title>Form Example</title>
</head>
<body>
  <form method="POST" action="/submit">
    Name: <input type="text" name="name"><br>
    Email: <input type="email" name="email"><br>
    <input type="submit" value="Submit">
  </form>
</body>
</html>


*2. Flask App to Render & Handle the Form:*

In [None]:
from flask import Flask, request, render_template

app = Flask(__name__)

@app.route('/')
def index():
    return render_template('form.html')

@app.route('/submit', methods=['POST'])
def submit():
    name = request.form['name']
    email = request.form['email']
    return f"Received: Name = {name}, Email = {email}"


*3. Access Form Data:*
- request.form['field_name'] – gets the value (throws error if missing)
- request.form.get('field_name') – safer; returns None if missing


*4. Optional: Use Flask-WTF for Form Handling*

For more secure and robust form handling:
- CSRF protection
- Built-in validation
- Clean Python classes for form structure

In [None]:
pip install flask-wtf

**Example with FlaskForm:**

In [None]:
from flask_wtf import FlaskForm
from wtforms import StringField, SubmitField
from wtforms.validators import DataRequired

class MyForm(FlaskForm):
    name = StringField('Name', validators=[DataRequired()])
    submit = SubmitField('Submit')


**Q 7. How can you validate form data in Flask?**

**Ans.** You can validate form data in Flask in two main ways:

*1. Manual Validation (Basic Approach)*

Use request.form and write validation logic manually.

In [None]:
from flask import Flask, request, render_template_string

app = Flask(__name__)

form_html = '''
<form method="POST">
  Name: <input type="text" name="name"><br>
  Age: <input type="number" name="age"><br>
  <input type="submit" value="Submit">
</form>
'''

@app.route('/', methods=['GET', 'POST'])
def form():
    if request.method == 'POST':
        name = request.form.get('name')
        age = request.form.get('age')

        if not name or not age.isdigit():
            return "Invalid input. Name is required and age must be a number."
        
        return f"Hello {name}, age {age}"
    
    return render_template_string(form_html)


*2. Using Flask-WTF (Recommended for Production)*

**Flask-WTF integrates with Flask and provides:**

- Form classes
- Field validators
- CSRF protection

**Step 1: Install Flask-WTF:**

In [None]:
pip install flask-wtf


**Step 2: Configure Flask App**

In [None]:
app.secret_key = 'your_secret_key'  # Required for CSRF protection


**Step 3: Define a Form Class**

In [None]:
from flask_wtf import FlaskForm
from wtforms import StringField, IntegerField, SubmitField
from wtforms.validators import DataRequired, NumberRange

class MyForm(FlaskForm):
    name = StringField('Name', validators=[DataRequired()])
    age = IntegerField('Age', validators=[DataRequired(), NumberRange(min=1, max=120)])
    submit = SubmitField('Submit')


**Step 4: Use the Form in a Route**

In [None]:
from flask import render_template

@app.route('/validate', methods=['GET', 'POST'])
def validate():
    form = MyForm()
    if form.validate_on_submit():
        return f"Name: {form.name.data}, Age: {form.age.data}"
    return render_template('form_template.html', form=form)


**Example form_template.html:**

In [None]:
<form method="POST">
  {{ form.csrf_token }}
  {{ form.name.label }} {{ form.name() }}<br>
  {{ form.age.label }} {{ form.age() }}<br>
  {{ form.submit() }}
</form>


**Q 8.  How do you manage sessions in Flask?**

**Ans.** In Flask, sessions are used to store data across multiple requests from the same user — like login info, preferences, or a shopping cart. Sessions are stored client-side in cookies, but signed and secured with a secret key.

*1. Enable Sessions in Flask*

Flask comes with session support built-in — you only need to set a SECRET_KEY:

In [None]:
from flask import Flask, session

app = Flask(__name__)
app.secret_key = 'your_secret_key'  # 🔐 Required to secure the session data


In [None]:
*2. Storing Data in Session*

In [None]:
@app.route('/login')
def login():
    session['username'] = 'alice'  # Store data in session
    return 'User logged in'


*3. Accessing Session Data*

In [None]:
@app.route('/dashboard')
def dashboard():
    username = session.get('username')
    if username:
        return f'Welcome, {username}'
    return 'You are not logged in'


*4. Removing Data from Session*

In [None]:
@app.route('/logout')
def logout():
    session.pop('username', None)  # Safely remove data
    return 'Logged out'


*5. Make Sessions Permanent (Optional)*

By default, sessions expire when the browser is closed. You can make them permanent:

In [None]:
from datetime import timedelta

app.permanent_session_lifetime = timedelta(days=7)

@app.route('/login')
def login():
    session.permanent = True
    session['username'] = 'alice'
    return 'Session will last 7 days'


**Q 9.  How do you redirect to a different route in Flask?**

**Ans.** In Flask, you can redirect users from one route to another using the redirect() function, often combined with url_for() for cleaner and dynamic URL handling.

*Basic Example: Redirect with redirect() and url_for()*

In [None]:
from flask import Flask, redirect, url_for

app = Flask(__name__)

@app.route('/')
def index():
    return redirect(url_for('welcome'))  # Redirects to the /welcome route

@app.route('/welcome')
def welcome():
    return 'Welcome to the site!'


**How It Works:**
| Function        | Purpose                                    |
| --------------- | ------------------------------------------ |
| `redirect(url)` | Issues an HTTP 302 response to redirect    |
| `url_for()`     | Generates the target URL from a route name |


*Redirect with Query Parameters (Optional)*

In [None]:
@app.route('/login')
def login():
    return redirect(url_for('dashboard', user='admin'))

@app.route('/dashboard')
def dashboard():
    user = request.args.get('user')
    return f"Welcome {user}"


*Redirect with Specific Status Code (Optional)*

In [None]:
return redirect(url_for('home'), code=301)  # Permanent Redirect


**Q 10. How do you handle errors in Flask (e.g., 404)?**

**Ans.** Flask allows you to gracefully handle HTTP errors like 404 Not Found, 500 Internal Server Error, etc., by using custom error handlers.

*1. Use @app.errorhandler() Decorator*

-  Example: Custom 404 Page

In [None]:
from flask import Flask, render_template

app = Flask(__name__)

@app.errorhandler(404)
def page_not_found(error):
    return render_template('404.html'), 404


This renders a custom HTML template when a page is not found.

*2. Handle Other Errors (500, 403, etc.)*

In [None]:
@app.errorhandler(500)
def internal_server_error(error):
    return render_template('500.html'), 500

@app.errorhandler(403)
def forbidden(error):
    return "Access Forbidden", 403


* 3. Generic Error Catching*

In [None]:
@app.errorhandler(Exception)
def handle_exception(e):
    return f"An unexpected error occurred: {str(e)}", 500


⚠️ Use with caution — this catches all exceptions, including Flask internals.

*4. Minimal 404 Example Without Templates*

In [None]:
@app.errorhandler(404)
def not_found(error):
    return "This page does not exist.", 404


**Q 11.  How do you structure a Flask app using Blueprints?**

**Ans.** Flask Blueprints allow you to modularize your application by breaking it into smaller, manageable components (like users, products, admin). They're perfect for large projects or APIs with many routes.

*1. Why Use Blueprints?*

| Benefit              | Description                                       |
| -------------------- | ------------------------------------------------- |
| 🧱 Modular Structure | Organize code by feature or section               |
| 🔄 Reusability       | Can reuse Blueprints across apps                  |
| 🧼 Clean Code        | Keeps routes, logic, and views separated          |
| 🚀 Scalable          | Easier to maintain and grow the project structure |


*2. Basic Folder Structure with Blueprints*

In [None]:
myapp/
├── app.py
├── users/
│   ├── __init__.py
│   └── routes.py
├── products/
│   ├── __init__.py
│   └── routes.py
├── templates/
│   └── ...


*3. Step-by-Step Blueprint Setup* :

> users/routes.py

In [None]:
from flask import Blueprint

users_bp = Blueprint('users', __name__)

@users_bp.route('/profile')
def profile():
    return "User Profile"


> users/__init__.py

In [None]:
from .routes import users_bp

> app.py – Main App File

In [None]:
from flask import Flask
from users.routes import users_bp
from products.routes import products_bp

app = Flask(__name__)

# Register blueprints
app.register_blueprint(users_bp, url_prefix='/users')
app.register_blueprint(products_bp, url_prefix='/products')

if __name__ == '__main__':
    app.run(debug=True)


*4. Access URLs*

| Route Registered              | Final URL in Browser |
| ----------------------------- | -------------------- |
| `@users_bp.route('/profile')` | `/users/profile`     |
| `@products_bp.route('/list')` | `/products/list`     |


*Custom Blueprint Options*

In [None]:
bp = Blueprint('name', __name__, template_folder='templates', static_folder='static')


**Q 12.  How do you define a custom Jinja filter in Flask?**

**Ans.** In Flask, you can create custom Jinja filters to transform data directly in your HTML templates. This is useful when built-in filters like |upper or |length aren’t enough.

*1. Define a Custom Filter Function*

Create a regular Python function that accepts a value (and optional arguments):

In [None]:
def reverse_string(s):
    return s[::-1]


*2. Register the Filter with Flask*

Register your function using app.template_filter():

In [None]:
from flask import Flask

app = Flask(__name__)

@app.template_filter('reverse')
def reverse_string(s):
    return s[::-1]


You can also register it manually:

In [None]:
app.jinja_env.filters['reverse'] = reverse_string


*3. Use the Filter in a Template*

Inside your template (e.g., templates/example.html):

In [None]:
<p>Original: {{ "Hello" }}</p>
<p>Reversed: {{ "Hello" | reverse }}</p>


> Output:

In [None]:
Original: Hello  
Reversed: olleH


*4. Add Filters from Blueprints*

If you're using Blueprints:

In [None]:
bp = Blueprint('example', __name__)

@bp.app_template_filter('double')
def double_number(n):
    return n * 2


Flask will automatically register the filter with the app when the Blueprint is registered.

**Q 13.  How can you redirect with query parameters in Flask/**

**Ans>** To redirect with query parameters in Flask, you use:

1. redirect() – to perform the redirection
2. url_for() – to dynamically build the URL with query parameters

*Example: Redirect with Query Parameters*

In [None]:
from flask import Flask, redirect, url_for, request

app = Flask(__name__)

@app.route('/')
def index():
    # Redirect to /search with query parameters
    return redirect(url_for('search', q='flask', page=2))

@app.route('/search')
def search():
    query = request.args.get('q')
    page = request.args.get('page')
    return f"Search Query: {query}, Page: {page}"


> Redirected URL:

In [None]:
/search?q=flask&page=2


*Breakdown*

| Step                      | Code                               |
| ------------------------- | ---------------------------------- |
| Build URL with parameters | `url_for('route_name', key=value)` |
| Redirect to that URL      | `redirect(url_for(...))`           |
| Access query params       | `request.args.get('key')`          |


*Accessing Query Parameters*

In the target route:

In [None]:
value = request.args.get('your_key')

**Q 14. How do you return JSON responses in Flask?**

**Ans.** In Flask, the recommended way to return JSON responses is using the built-in jsonify() function. It automatically:

- Converts Python dictionaries/lists to JSON,
- Sets the correct Content-Type: application/json header.

*1. Basic Example Using jsonify*

In [None]:
from flask import Flask, jsonify

app = Flask(__name__)

@app.route('/api/data')
def get_data():
    data = {"name": "Alice", "age": 30}
    return jsonify(data)


> Output:

In [None]:
{
  "name": "Alice",
  "age": 30
}


*2. Returning Lists or Arrays*

In [None]:
@app.route('/api/items')
def get_items():
    return jsonify(["apple", "banana", "cherry"])


*3. Adding Status Codes*

In [None]:
@app.route('/api/error')
def error():
    return jsonify({"error": "Not found"}), 404


*4. Returning JSON Manually (Not Recommended)*

In [None]:
from flask import Response
import json

@app.route('/manual')
def manual_json():
    data = {"message": "manual JSON"}
    return Response(json.dumps(data), mimetype='application/json')


*4. Returning JSON Manually (Not Recommended)*

In [None]:
from flask import Response
import json

@app.route('/manual')
def manual_json():
    data = {"message": "manual JSON"}
    return Response(json.dumps(data), mimetype='application/json')


**Q 15. How do you capture URL parameters in Flask?**

**Ans.** Flask allows you to capture dynamic parts of a URL using route parameters. These are defined in your route using angle brackets (< >) and passed to the view function as arguments.

*1. Basic Example: Capture a String*

In [None]:
from flask import Flask

app = Flask(__name__)

@app.route('/user/<username>')
def show_user(username):
    return f"Hello, {username}!"


- URL: /user/ali
- Output: Hello, ali!

*2. Capture an Integer*

In [None]:
@app.route('/post/<int:post_id>')
def show_post(post_id):
    return f"Post ID: {post_id}"


In [None]:
*3. Capture Multiple Parameters*

In [None]:
@app.route('/book/<title>/<int:page>')
def read_page(title, page):
    return f"Reading '{title}' page {page}"


- URL: /book/Flask101/5
- Output: Reading 'Flask101' page 5

In [None]:
*4. Supported Converters*

| Converter  | Description                    |
| ---------- | ------------------------------ |
| `<string>` | (Default) Accepts any string   |
| `<int>`    | Accepts positive integers only |
| `<float>`  | Accepts floating-point numbers |
| `<path>`   | Like string, but includes `/`  |
| `<uuid>`   | Accepts UUID strings           |


In [None]:
@app.route('/files/<path:filepath>')
def serve_file(filepath):
    return f"Serving file at: {filepath}"


/files/documents/report.pdf → Serving file at: documents/report.pdf