# Chapter 7 : Large Application Structure

## Project Structure

|-flasky  
 |-app/    
   |-templates/    
   |-static/   
   |-main/      
     |-__init__.py      
     |-errors.py      
     |-forms.py      
     |-views.py    
   |-__init__.py   
   |-email.py    
   |-models.py  
 |-migrations/  
 |-tests/    
   |-__init__.py    
   |-test\*.py  
 |-venv/  
 |-requirements.txt
 |-config.py  
 |-manage.py

- Blueprints are created by instantiating an object of class Blueprint. The constructor for this class takes two required arguments: the blueprint name and the module or package where the blueprint is located. As with applications, Python’s __name__ variable is in most cases the correct value for the second argument. 

- The routes of the application are stored in an app/main/views.py module inside the package, and the error handlers are in app/main/errors.py. Importing these modules causes the routes and error handlers to be associated with the blueprint. It is important to note that the modules are imported at the bottom of the app/__init__.py script to avoid circular dependencies, because views.py and errors.py need to import the main blueprint. 

In [None]:
# in app/main/__init__.py
from flask import Blueprint

main = Blueprint('main', __name__)

from . import views. errors

In [None]:
# in app/__init__.py : blueprint registration
def create_app(config_name):
    # ...
    
    from main import main as main_blueprint
    app.register_blueprint(main_blueprint)
    
    return app

# in app/main/errors.py : blueprint with error handlers
from flask import render_template
from . import main

@main.app_errorhandler(404)
def page_not_found(e):
    return render_template('404.html'), 404

@main.app_errorhandler(500)
def internal_server_error(e):
    return render_template('500.html'), 500

- A difference when writing error handlers inside a blueprint is that if the errorhandler decorator is used, the handler will only be invoked for errors that originate in the blueprint. To install application-wide error handlers, the app_errorhandler must be used instead. 

In [None]:
# in app/main/views.py : blueprint with application
from datetime import datetime
from flask import render_template, session, redirect, url_for
from . import main
from .forms import NameForm
from .. import db
from ..models import User

@main.route('/', methods=['GET', 'POST'])
def index():
    form = NameForm()
    if form.validate_on_submit():
        # ...
        return redirect(url_for('.index'))
    return render_template('index.html',
                          form=form, name=session.get('name'),
                          known=session.get('known', False),
                          current_time=datetime.utcnow())


- There are two main differences when writing a view function inside a blueprint. First, **as was done for error handlers earlier, the route decorator comes from the blueprint**. The second difference is in **the usage of the url_for() function**. As you may recall, the first argument to this function is the endpoint name of the route, which for applicationbased routes defaults to the name of the view function. For example, in a single-script application the URL for an index() view function can be obtained with url_for('index'). 

- **The difference with blueprints is that Flask applies a namespace to all the endpoints coming from a blueprint so that multiple blueprints can define view functions with the same endpoint names without collisions**. The namespace is the name of the blueprint (the first argument to the Blueprint constructor), so the index() view function is registered with endpoint name main.index and its URL can be obtained with url_for('main.index'). 

- The url_for() function also supports a shorter format for endpoints in blueprints in **which the blueprint name is omitted, such as url_for('.index')**. With this notation, the blueprint for the current request is used. This effectively means that redirects **within the same blueprint can use the shorter form, while redirects across blueprints must use the namespaced endpoint name.** 

## Launch Script

In [None]:
# in manage.py : launch script

#!/usr/bin/env python
import os
from app import create_app, db
from app.models import User, Role
from flask_script import Manager, Shell
from flask_migrate import Migrate, MigrateCommand

app = create_app(os.getenv('FLASK_CONFIG') or 'default')
manager = Manager(app)
migrate = Migrate(app, db)

def make_shell_context():
    return dict(app=app, db=db, User=User, Role=Role)
manager.add_command("shell", Shell(make_context=make_shell_context))
manager.add_command('db', MigrateCommand)

if __name__ == '__main__':
    
    manager.run()
    

## Requirements File

- Applications must include a requirements.txt file that records all the package dependencies, with the exact version numbers. This is important in case the virtual environment needs to be regenerated in a different machine, such as the machine on which the application will be deployed for production use. This file can be generated automatically by pip with the following command:
- ** pip freeze > requirements.txt **

- When you need to build a perfect replica of the virtual environment, you can create a new virtual environment and run the following command on it:

- ** pip install -r requirements.txt **


## Unit Tests

In [None]:
# in tests/test_basics.py : unit tests

import unittest
from flask import current_app
from app import create_app, db

class BasicTestCase(unittest.TestCase):
    def setUp(self):
        self.app = create_app('testing')
        self.app_context = self.app.app_context()
        self.app_context.push()
        db.create_all()
        
    def tearDown(self):
        db.session.remove()
        db.drop_all()
        self.app_context.pop()
        
    def test_app_exists(self):
        self.assertFalse(current_app is None)
        
    def test_app_is_testing(self):
        self.assertTrue(current_app.config['TESTING'])
            

- The setUp() method tries to create an environment for the test that is close to that of a running application. It first creates an application configured for testing and activates its context. This step ensures that tests have access to current_app, like regular requests. Then it creates a brand-new database that the test can use when necessary. The database and the application context are removed in the tearDown() method. 

- The first test ensures that the application instance exists. The second test ensures that the application is running under the testing configuration. To make the tests folder a proper package, a tests/__init__.py file needs to be added, but this can be an empty file, as the unittest package can scan all the modules and locate the tests.


In [None]:
# in manage.py : unittest launcher command

@manager.command
def test():
    """Run the unit tests."""
    import unittest
    tests = unittest.TestLoader().discover('tests')
    unittest.TextTestRunner(verbosity=2).run(tests)

- The manager.command decorator makes it simple to implement custom commands. The name of the decorated function is used as the command name, and the function’s docstring is displayed in the help messages. The implementation of test() function invokes the test runner from the unittest package. 

- ** python manage.py test **

## Database Setup

- The database URL is taken from an environment variable as a first choice, with a default SQLite database as an alternative. The environment variables and SQLite database filenames are different for each of the three configurations. For example, in the development configuration the URL is obtained from environment variable DEV_DATABASE_URL, and if that is not defined then a SQLite database with the name data-dev.sqlite is used.

# Part 2 : A Social Blogging Application

## Password Security

- The key to storing user passwords securely in a database relies not on storing the password itself but a hash of it. 

## Hashing Passwords with Werkzeug 
- generate_password_hash(password, method=pbkdf2:sha1, salt_length=8) :This function takes a plain-text password and returns the password hash as a string that can be stored in the user database. The default values for method and salt_length are sufficient for most use cases. 

- check_password_hash(hash, password) : This function takes a password hash retrieved from the database and the password entered by the user. A return value of True indicates that the password is correct. 

  1 from werkzeug.security import generate_password_hash, check_password_hash
  2
  3
  4
  5 class User(db.Model):
  6     # ...
  7     password_hash = db.Column(db.String(128))
  8
  9     class Meta:
 10         database = DATABASE
 11
 12     @property
 13     def password(self):
 14         raise AttributeError('password is not a readable attribute')
 15
 16     @password.setter
 17     def password(self, password):
 18         self.password_hash = generate_password_hash(password)
 19
 20     def verify_password(self, password):
 21         return check_password_hash(self.password_hash, password)

- The password hashing function is implemented through a write-only property called password. When this property is set, the setter method will call Werkzeug’s generate_password_hash() function and write the result to the password_hash field. Attempting to read the password property will return an error, as clearly the original password cannot be recovered once hashed. 

- The verify_password method takes a password and passes it to Werkzeug’s check_password_hash() function for verification against the hashed version stored in the User model. If this method returns True, then the password is correct.

## Creating an Authentication Blueprint

- Blueprints were introduced in Chapter 7 as a way to define routes in the global scope after the creation of the application was moved into a factory function. The routes related to the user authentication system can be added to a auth blueprint. Using different blueprints for different sets of application functionality is a great way to keep the code neatly organized. 

- Note that the template file given to render_template() is stored inside the auth folder. This folder must be created inside app/templates, as Flask expects the templates to be relative to the application’s template folder. By storing the blueprint templates in their own folder, there is no risk of naming collisions with the main blueprint or any other blueprints that will be added in the future.


## User Authentication with Flask-Login
- When users log in to the application, their authenticated state has to be recorded so that it is remembered as they navigate through different pages. Flask-Login is a small but extremely useful extension that specializes in managing this particular aspect of a user authentication system, without being tied to a specific authentication mechanism. 

### Preparing the User Model for Logins
- is_authenticated()
- is_active()
- is_anonymous()
- get_id()

In [None]:
# in app/models.py : updates to the User model to support user logins
from flask.ext.login import UserMixin

class User(UserMixin, db.Model):
     __tablename__ = 'users'    
    id = db.Column(db.Integer, primary_key = True)    
    email = db.Column(db.String(64), unique=True, index=True)    
    username = db.Column(db.String(64), unique=True, index=True)    
    password_hash = db.Column(db.String(128))    
    role_id = db.Column(db.Integer, db.ForeignKey('roles.id'))


- The session_protection attribute of the LoginManager object can be set to None, 'basic', or 'strong' to provide different levels of security against user session tampering. With the 'strong' setting, Flask-Login will keep track of the client’s IP address and browser agent and will log the user out if it detects a change. The login_view attribute sets the endpoint for the login page. Recall that because the login route is inside a blueprint, it needs to be prefixed with the blueprint name. 

In [None]:
# in app/__init__.py : flask-login initialization
from flask.ext.login import LoginManager

login_manager = LoginManager() 
login_manager.session_protection = 'strong' 
login_manager.login_view = 'auth.login'

def create_app(config_name):    
    # ...    
    login_manager.init_app(app)    
    # ...

In [None]:
# in app/models.py : User loader callback function
from . import login_manager

@login_manager.user_loader 
def load_user(user_id):    
    return User.query.get(int(user_id))

### Protecting Routes

In [None]:
from flask.ext.login import login_required
@app.route('/secret') 
@login_required 
def secret():    
    return 'Only authenticated users are allowed!'


# ~ p.117
