# Building your own API

Exercise book created by [Dr. Irene Unceta](https://linkedin.com/in/ireneunceta/)

Solution: [Kartik Thopalli](https://www.linkedin.com/in/kartik-thopalli/)

<div class="alert alert-success">In this notebook, we will learn how to set our own API up and running and implement the different methods.</div>

Throughout this class we will learn how to create a REST Api to interact with the ```products.csv``` dataset. Make sure you download it before proceeding to work on this notebook. In addition to that file, this exercise will require that you also interact with the ```first_api.py``` script.

### Readying your working environment

In what follows, we will use Python's ```flask``` and ```flask_restful``` libraries. To use them, you will need to manually install them first. Do so by running the cells below.

In [1]:
# pip install flask

In [2]:
# pip install flask_restful

In [3]:
import flask
import flask_restful

You can take a look at the documentation for the ```flask``` library [here](https://flask.palletsprojects.com/en/2.2.x/), while the documentation for ```flask_restful```can be found [here](https://flask-restful.readthedocs.io/en/latest/). It might be a good idea to take a look at both to familiarize yourself with them.

### A minimal API

The code below shows an example of a minimal Flask-RESTful API. The same code has been included in the ```first_api.py``` file. This code launches a very simple built-in server, which is good enough for our purposes.

Let's break down the code to understand what the different parts are doing.

```from flask import Flask```
> Imports the ```Flask``` class from the ```flask``` library. 

```from flask_restful import Resource, Api```
> Imports the ```Resource``` and ```Api``` classes from the ```flask_restful``` library. 

```app = Flask(__name__)```
> Creates an instance of the ```Flask``` class. This instance implements a WSGI application and acts as the central object. The first argument is the name of the application’s module or package. ```__name__``` is a convenient shortcut for this that is appropriate for most cases. This is needed so that Flask knows where to look for resources such as templates and static files. Once it is created the ```app``` object will act as a central registry for the view functions, the URL rules, template configuration and much more. 

```api = Api(app)```
> Creates the main entry point for your application. You initialize it with the Flask Application implemented in the previous step. You can read more on the ```Api``` class [here](https://flask-restful.readthedocs.io/en/latest/api.html).

```class HelloWorld(Resource):
    def get(self):
        return {'status': 200, 'response': 'Hello world'}, 200```
        
> Creates the ```HelloWorld``` resource. Resources are the main building block provided by Flask-RESTful. Resources are built on top of Flask pluggable views, giving you easy access to multiple HTTP methods just by defining methods on your resource. The ```Resource``` class enables creation of basic CRUD (Create, Read, Update, Delete) methods. The code above implements the ```get``` method, which returns the value ```{'status': 200, 'response': 'Hello world'}``` and default status code ```200```.

```api.add_resource(HelloWorld, '/')```
> Calls the ```add_resource``` method to add the ```HelloWorld``` resource to your api. You can read the documentation for this method [here](https://flask-restful.readthedocs.io/en/latest/api.html). It accepts several parameters. Here, we are interest mainly in the first three: ```resource```, ```urls``` and ```endpoint```. ```resource``` refers to the class name of the resource; in our case, ```HelloWorld```. ```urls```defines one or more url routes to match for the resource. Modern web applications use meaningful URLs to help users. Users are more likely to like a page and come back if the page uses a meaningful URL they can remember and use to directly visit a page. In our case, the ```urls``` are set to ```'/'```, which means that the resource will be accessible directly from the base API url. Finally, ```endpoint``` takes the desired endpoint name. We have provided no endpoint.

```app.run(debug=True)```
> Runs the application. The ```debug=True``` parameter enables debugging access to the application. By enabling debug mode, the server will automatically reload if code changes, and will show an interactive debugger in the browser if an error occurs during a request. If you are launching the application directly from a Jupyter notebook interface set ```use_reloader=False``` to ensure no issues arise. 

### Getting the basics

There are two ways in which you can execute the code above: using an external .py file or directly from this (or some other) notebook.

#### Launching from the external .py file

Because the code is not included in this notebook, but in a .py file, you won't be able to execute it directly by clicking on the `Run` button. Instead, open a new terminal window and launch the script by running `python CC2022_S2_api.py`. 

You can do so using the local terminal application in your computer or opening a new terminal window from the JupyterLab interface. For the latter, head over to your `Home` directory and click on the `New` tab to the top right of the screen, followed by `Terminal`, as shown below. 

<img src="https://www.dropbox.com/s/ieii1uaf97v0esu/Screenshot%202022-09-29%20at%2017.16.01.png?dl=1" width="800">

This should launch a new terminal window like the one below.

<div class="alert alert-warning">
    Note that unless you launch the terminal from the same directory where <i>CC2022_S2_api.py</i> is located, you will need to provide the relative path to your file to run your code.
</div>

#### Launching from a .ipynb file

You can alternatively launch the file directly from a notebook by copy pasting the code on a separate cell. When doing that, make sure you set the `use_realoader=False` at the end.

> Launching code from the notebook won't allow you to enter the debug mode. That means that you will need to interrupt the execution and run the code again after every change. That's why it's recommended to launch the code from a separate notebook, and simply keep this for checks and tests.

#### Checking the server

After you execute the code, head over to http://127.0.0.1:5000/. You should see your ```"HelloWorld"``` greeting there. 

<div class="alert alert-warning">
    Note that if another program is already using port 5000, an error will be raised when the server tries to start. See <a href="https://flask.palletsprojects.com/en/2.2.x/server/#address-already-in-use">this</a> link for how to handle that.
</div>

You will notice that the server above is only accessible from your own computer, not from any other in the network. This is the default because in debugging mode a user of the application can execute arbitrary Python code on your computer. In a production environment, after developing your application, you’ll want to make it available publicly to other users. We will not cover this in this notebook. Yet, you can find detailed guidelines on how to deploy your application to production [here](https://flask.palletsprojects.com/en/2.2.x/deploying/).

#### Troubleshooting

If when executing your code you get a message saying that `Address is already in use`, you will need to *kill* the process already running in your port. To do that, you can either check the `Running` tab in JupyterLab and `Shutdown` all the running processes. Or, you can kill every process directly from the terminal by calling `kill -9 $(lsof -t -i:5000)`.

#### Making your first requests

As is, your API is already up and running.

<div class="alert alert-info">
    <b>Exercise 1</b> Write the code to make a request to your API at <a href="http://localhost:5000/">http://localhost:5000/</a>. Check both the status code and the obtained response.
</div>

In [2]:
import requests

requests.get('http://localhost:5000/').json()

{'status': 200, 'response': 'Hello world'}

<div class="alert alert-info">
    <b>Exercise 2</b> Write the code to modify the status code returned by your <i>HelloWorld</i> resource to be 400. Then, make a new request to your api and check the response. What do you obtain?
</div>

In [5]:
requests.get('http://localhost:5000/').json()

{'status': 400, 'response': 'Hello world'}

<div class="alert alert-info">
    <b>Exercise 3</b> Write the code to modify the code above such that the <i>HelloWorld</i> resource is routed to the <b>'hello'</b> url and endpoint. Then, rebuild your request once again. What changed?
</div>

In [6]:
requests.get('http://localhost:5000/hello').json()

{'status': 400, 'response': 'Hello world'}

Now that the basics are clear, let's get to work.

### Putting your learnings to practice

As mentioned above, the objective of this notebook will be for you to set up an api that enables interaction with the ```products.csv``` database. You can find a snippet of this dataset below:

<img src="https://www.dropbox.com/s/v8io0khbky3amif/Screenshot%202022-09-29%20at%2015.47.48.png?dl=1" width="500">

The dataset includes the fields below:

- **productId** refers to each products' unique identifier, in `int`  form
- **productName** refers to each product's name tage, in `str` form
- **brand** refers to each product's brand, in `str` form
- **color** refers to each product's color, in `str` form
- **size** refers to each product's size, in `int` form
- **price** refers to each product's unitary price, in `int` form
- **stock** refer to each product's availability in stock, in `int` form

In what follows you are going to write the code to create an api that allows users to inspect the information in `products.csv`, to retrieve information about selected entries and to modify them, as well as to add new entries and to delete existing ones. We will start small and build from there.

#### Implementing a get method

Let's begin by setting up you api and implementing a `get` method.

<div class="alert alert-info">
    <b>Exercise 4</b> Write the code to create an application called <i>app</i> that includes a single resource <b>Products</b> routed to the <i>/products</i> url and the <i>products</i> endpoint. Implement a <b>get</b> method for the Products resource that returns the full <i>products.csv</i> database as shown in the image below.
    <img src="https://www.dropbox.com/s/1v7qnv65rfruwlz/Screenshot%202022-09-29%20at%2015.49.51.png?dl=1" width="700">
</div>

<div class="alert alert-warning">
You can read more on how to read a csv file using the pandas library <a href="https://pandas.pydata.org/docs/reference/api/pandas.read_csv.html">here</a>. To properly format your response you will need to parse the resulting dataframe into dictionary, as discussed <a href="https://pandas.pydata.org/docs/reference/api/pandas.read_csv.html">here</a>.
</div>

<div class="alert alert-warning">
Pay special attention to the way in which the data should be returned.
</div>

As is, your API will return the whole dataset in response to a get request. However, the user may wish to view only a single record. This means that we will need to define a parameter that takes this information from the user. This process is known as **Request Parsing** and can be done using the ```reqparse``` module from ```flask_restful```. Let's take a look at an example usage below.

In [7]:
import pandas as pd
df = pd.read_csv('products.csv')
df

Unnamed: 0,productId,productName,brand,color,size,price,stock
0,10261,Veja Campo Trainers,Veja,Gray,37,150,3
1,10262,Veja Campo Trainers,Veja,Gray,38,150,0
2,10263,Veja Campo Trainers,Veja,Gray,39,150,1
3,10264,Veja Campo Trainers,Veja,Gray,40,150,2
4,10265,Veja Campo Trainers,Veja,Gray,41,150,1
5,10161,Veja Campo Trainers,Veja,Beige,37,130,5
6,10162,Veja Campo Trainers,Veja,Beige,38,130,5
7,10163,Veja Campo Trainers,Veja,Beige,39,130,3
8,10164,Veja Campo Trainers,Veja,Beige,40,130,4
9,10165,Veja Campo Trainers,Veja,Beige,41,130,3


In [11]:
requests.get('http://localhost:5000/products').json()

{'status': 400,
 'response': [{'productId': 10261,
   'productName': 'Veja Campo Trainers',
   'brand': 'Veja',
   'color': 'Gray',
   'size': 37,
   'price': 150,
   'stock': 3},
  {'productId': 10262,
   'productName': 'Veja Campo Trainers',
   'brand': 'Veja',
   'color': 'Gray',
   'size': 38,
   'price': 150,
   'stock': 0},
  {'productId': 10263,
   'productName': 'Veja Campo Trainers',
   'brand': 'Veja',
   'color': 'Gray',
   'size': 39,
   'price': 150,
   'stock': 1},
  {'productId': 10264,
   'productName': 'Veja Campo Trainers',
   'brand': 'Veja',
   'color': 'Gray',
   'size': 40,
   'price': 150,
   'stock': 2},
  {'productId': 10265,
   'productName': 'Veja Campo Trainers',
   'brand': 'Veja',
   'color': 'Gray',
   'size': 41,
   'price': 150,
   'stock': 1},
  {'productId': 10161,
   'productName': 'Veja Campo Trainers',
   'brand': 'Veja',
   'color': 'Beige',
   'size': 37,
   'price': 130,
   'stock': 5},
  {'productId': 10162,
   'productName': 'Veja Campo Traine

As before, let's break down this code to uderstand the different bits and pieces.

```from flask_restful import reqparse```
> Imports the ```reqparse``` module from ```flask_restful```.

```parser = reqparse.RequestParser()```
> Creates an object called ```parser```, which is an instance of the ```RequestParser``` class.

```parser.add_argument('productId', type=int, help='Product identifier', required=False)```
> Calls method ```add_argument``` to define a new parameter for the get request. In particular, it defines a parameter called ```'productId'```, which accepts a value of type ```int```. The ```help``` attribute provides explanatory information to the user in case the provided parameter is invalid, while the ```required``` choice specifies whether we want this parameter to be always included for a valid request or not. In our case, the values is set to ```False```, which means that this parameter is optional. You can read more about the `Argument` class [here](https://flask-restful.readthedocs.io/en/latest/api.html#reqparse.Argument).

The best way to understand the changes is to interact with the API.

<div class="alert alert-info">
    <b>Exercise 5</b> Write the code to make a get request to the <b>products</b> endpoint of your api. Check what the responses you obtain when including a value for the <i>productId</i> parameter as part of the request body or when leaving it blank.
</div>

In [31]:
response = requests.get('http://localhost:5000/products',params={'productId':101})

In [32]:
response.json()

{'message': 'Internal Server Error'}

In its current version, our api will accept a parameter ```productId``` but won't really use it. Let's rewrite our code so that the api returns the corresponding entry whenever a value is informed for this parameter.

<div class="alert alert-info">
    <b>Exercise 6</b> Write the code to modify your code above, such that whenever a value is given for the <b>productId</b> parameter you api returns only the data corresponding to that entry. When doing so, make sure that a 404 error is raised with the message <i>'Incorrect value ID for productId.'</i>, for ID the provided productId, whenever the provided productId is not found in the database.
</div>

In [33]:
requests.get('http://localhost:5000/products')

<Response [500]>

<div class="alert alert-danger">
    <b>Bonus 1</b> Write the code to modify your code above, such that your api accepts a <i>list</i> of <b>productId</b> values instead of a unique value. Your api should then return the data for all the corresponding entries simultaneously in json format as above. When doing so, make sure that a 404 error is raised with the message <i>'Incorrect value for productId'</i> whenever a provided productId is not found in the database.
</div>

In [None]:
# YOUR CODE HERE

Well done! That's it for the ```get``` method for now. Now, let's discuss how to implement a ```post``` method for our api.

#### Implementing a post method

Ideally, we would want our user to be able to add new entries to our database. This will require that the user provides values for the necessary fields and that we can modify the existing file to include the new information.

<div class="alert alert-info">
    <b>Exercise 7</b> Write the code to modify your code above to include a <b>post</b> method that enables the user to create a new instance in the dataset. When doing so, make sure that an error in raised whenever the user fails to provide information for one of the fields. Your code should modify the existing DataFrame, save the modified version and return the new entry as a response. When doing so, make sure your code returns the message <i>'ID already exists'</i>, for ID the provided productID, whenever the user is trying to create a new entry with an id which is already in use.
</div>

In [None]:
df = pd.read_csv('products.csv')
args = {'productId': 10200,'productName':'hh','size':37,'brand':'hh','color':'red','size':4,'stock':120,'price':120}

Now check that your code is correct.

<div class="alert alert-info">
    <b>Exercise 8</b> Write the code to make a post request to the <b>products</b> endpoint of your api and create a new entry with productId 10260, productName 'Veja Campo Trainers', brand 'Veja', color 'Gray', size 36, price 150 and stock 3.
</div>

In [35]:
requests.post('http://localhost:5000/products',params={'productId': 10200,'productName':'hh','size':37,'brand':'hh','color':'red','size':37,'stock':4,'price':120})

<Response [405]>

<div class="alert alert-danger">
    <b>Bonus 2</b> Write the code to modify your solution above, such that your api accepts <i>incomplete</i> requests. In particular, allow post requests where the <b>productId</b> is missing. Manually fill in the corresponding values according to the criteria below.
    <ul>
        <li>The first two digits of the <i>productId</i> correspond to the brand: 10 for <i>Veja</i>, 20 for <i>New Balance</i>, 30 for <i>Adidas</i>.</li>
        <li>The third digit of the <i>productId</i> corresponds to the color: 0 for <i>White</i>, 1 for <i>Beige</i>, 2 for <i>Gray</i>, 3 for <i>Dark Gray</i>, 4 for <i>Black</i>, 5 for <i>Blue</i>, 6 for <i>Green</i>.</li>
        <li>The fourth digit of the <i>productId</i> corresponds to the productName: 1 for <i>Adidas Forum 84 Hi Trainers</i>, 2 for <i>New Balance 237 Trainers</i>, 3 for <i>New Balance 5740 Trainers</i>, 4 for <i>New Balance 327 Trainers</i>, 5 for <i>Veja Venturi Trainers</i> and 6 for <i>Veja Campo Trainers</i>.</li>
        <li>The last digit of the <i>productId</i> corresponds to the size: 0 for 36, 1 for 37, 2 for 38, 3 for 39, 4 for 40, 5 for 41, 6 for 42, 7 for 43, 8 for 44 and 9 for 45.
    </ul>
</div>

In [None]:
# YOUR CODE HERE

Our database includes information about different products and their current availability through the ```stock``` field. Availability of the different products will probably change based on purchases. Hence, our api should enable a method that modifies the stock of existing entries whenever an item is sold. That is, it should include a ```put``` method.

#### Implementing a put method

Let's implement a method that enables user to modify the value of the `stock` attribute for a given entry.

<div class="alert alert-info">
    <b>Exercise 9</b> Write the code to implement a put method for your api. Your request should take a <b>productId</b> and a new <b>stock</b> value and update the corresponding entry. It should return the modified entry as a response.
</div>

In [None]:
# YOUR CODE HERE

The method above assumes the user can provide the updated `stock` value directly. Often, however, the user will only be able to inform the number of purchases for the considered item so that the `stock` would have to be updated accordingly. Let's try an implement this option too as part of the put method for our `products` resource.

<div class="alert alert-info">
    <b>Exercise 10</b> Write the code to modify your solution above. Your api should allow put requests to the <i>products</i> resource that include a <b>productId</b> and either a new <b>stock</b> value or a <b>modifier</b> value, or both, and update the corresponding entry. It should return the modified entry as a response.
</div>

In [None]:
# YOUR CODE HERE

Now check that your code is correct.

<div class="alert alert-info">
    <b>Exercise 11</b> Write the code to make a post request to the <b>products</b> endpoint of your api and modify entry with id 10261 so that the new <i>stock</i> value is 2.

In [None]:
# YOUR CODE HERE

You are almost there. Only thing left to do is implement a `delete` method to enable full removal of entries from the database.

#### Implementing a delete method

Sometimes we may wish to completely remove a product from our catalogue. In such cases, enabling the user to make a `delete` request may come in handy.

<div class="alert alert-info">
    <b>Exercise 12</b> Write the code to implement a delete request for your api. When doing so, require the user to provide a valid <i>productID</i> and delete the corresponding entry from the database. Return the modified dataset as a response.</div>

In [None]:
# YOUR CODE HERE

Now check that your code is correct.

<div class="alert alert-info">
    <b>Exercise 13</b> Write the code to make a delete request to the <b>products</b> endpoint of your api and remove entry with id 10260 created above.</div>

In [None]:
# YOUR CODE HERE

<div class="alert alert-danger">
    <b>Bonus 3</b> Write the code to modify your code above, such that your api enables deletion based on attributes other than solely the <i>productId</i>. In particular, modify your code so that your delete method also enables deletion of several entries at the same time based on <b>brand</b> or <b>size</b>.
</div>

In [None]:
# YOUR CODE HERE

Looks like you are all set. You can now put it all together to create a final version of your api.

### Adding an authentication scheme

Currently, anyone can read, add, delete and update the products in our application. Now, let's learn how we can restrict the creation of products by any untrusted person (**Authentication**). Also, we will learn how to implement **Authorization** so that only the person who added the product in our application can delete/modify it.

To implement these features, first of all, we must create a new database to store the user information. So, let's do it. Similar to our ```products``` database we are going to create a ```users``` database, such that whenever a user signs up, a new user entry is created with fields `email` and `password`.

<div class="alert alert-info">
    <b>Exercise 14</b> Write the code to create an empty DataFrame called <i>df</i> that includes columns <b>email</b> and <b>password</b>. Then export the DataFrame to a new file called <b>users.csv</b>.</div>

In [42]:
# YOUR CODE HERE

#### Creating a resource for signing up

To allow users to sign up by using an email and a password ee will create a new resource called `SignUp`. When doing so, we want users to be able to create new entries in our `users.csv` database, but not view the full list of records nor make changes to it. Hence, we will only implement a `post` method for this resource.

<div class="alert alert-info">
    <b>Exercise 15</b> Write the code to add a new resource called <b>SignUp</b> to your api and routes it to the <i>/signup</i> url and <i>signup</i> endpoint. This resource should implement a <b>post</b> method that takes an <i>email</i> and a <i>password</i> from the user and adds a new entry with this information to the <i>user.csv</i> database. It should return the message <i>Successfully signed up</i> upon completion of the process.</div>

In [None]:
# YOUR CODE HERE

Now check that your code is correct.

<div class="alert alert-info">
    <b>Exercise 16</b> Write the code to make a post request to the <b>signup</b> endpoint and sign up using an email and password of your choosing.</div>

In [None]:
# YOUR CODE HERE

Let's now think on this for a bit. Saving passwords in a plain string field is actually a terrible idea. Even if we don't allow direct access to our database, somebody might get access to it and then all user passwords would be exposed. To prevent that from happening, we are going to **hash** our passwords to some cryptic form so that nobody can find them easily.

Hashing is the process of transforming any given key or string of characters into another value. This is usually represented by a shorter, fixed-length value or key that represents and makes it easier to find or employ the original string. For hashing our passwords we are going to use a popular hashing function called `bcrypt`. Luckyly for us, we won't need to implement this function ourselves. Instead, we are going to use a flask extension called `flask-bcrypt` for this. You can read all about it [here](https://flask-bcrypt.readthedocs.io/en/latest/).

Run the cell below to manually install it.

<div class="alert alert-warning">
    As before, remember that this cell need only be executed the first time you open this notebook. After you install the library, you will be able to import it anytime you need it.
</div>

In [None]:
pip install flask_bcrypt

We are going to use two methods from `flask_bcrypt`. For starters, we are going to create a password hash using the `generate_password_hash()` function. Later on, we are going to check if the password used by the user to login generates the hash which is equal to the password saved in the database using the `check_password_hash()` function.

For now, let's initialize `flask_bcrypt` in your api. You can do so by importing class `Bcrypt` and instantiating an object of this class with your app as its unique attribute. Once having done that, modify your code above to enable hashing of the password in the `post` method for the `SignUp` resource.


<div class="alert alert-info">
    <b>Exercise 17</b> Write the code to initialize <i>bcrypt</i> in your app. Then, modify your code above such that the post method in your <i>signup</i> endpoint saves the user email and the password hash instead of the original password.</div>

In [None]:
# YOUR CODE HERE

Now repeat the same process as before to sign up as a new user. This time, your code should store the password hash instead of the password itself in the lookup table `users.csv`.

<div class="alert alert-info">
    <b>Exercise 18</b> Write the code to make a post request to the <b>signup</b> endpoint and sign up using an email and password of your choosing.</div>
    
<div class="alert alert-warning">
    Note that if you haven't removed the previously created entry from your <i>users.csv</i> dataset, the api may return an error message when trying to sign up using the same email.</div>

In [None]:
# YOUR CODE HERE

Alright, we have created the functionality of creating a user through `SignUp`, now we need to be able to login as that user. 

#### Creating a resource for logging in

For logging users into a website, we need functionality to verify if the user is who they claim them to be. Requiring users to send their email and password every time they need to do something on the website doesn't seem like the best idea. Instead, we are going to add a functionality such that once a user is logged in they are given a **token** that they can use to interact with the api.

There are many methods for working with token-based authentication. Here, we are going to use [JSON Web Token](https://jwt.io/introduction/) or JWT. To use JWT, you will need to install yet another flask extension called `flask-jwt-extended`. Do so by running the cell below.

In [None]:
pip install flask_jwt_extended

The first step to using JWT is initializing it to the app. To do so, you will need to import the class `JWTManager`  from `flask_jwt_extended` and instantiate an object using your app as an attribute. This will unlock all JWT functionalities. In particular, to generate user tokens our `JWTManager` will combine a user value defined by us together with a secret-key that we provide. The secret-key we use to create a JWT can be anything, but should preferably be something hard to guess.

The code below initializes the JWT functionality and includes a value for the secret-key as part of our apps configuration under the name `JWT_SECRET_KEY`.

<div class="alert alert-info">
    <b>Exercise 19</b> Modify the code below to create a secret-key of your choosing and copy it to your script.</div>

The code above will allow us to generate access tokens for users whenever their log in credentials are verified by our system. With this, we are finally ready to implement our `login` endpoint.

We are going to implement a single `get` method for this endpoint. The method should require the user to provide their email and password. It should then search for the user with the given email in the `users.csv` database and check if the password sent is the same as the hashed password saved in the database. You can do so using the `check_password_hash` function from `flask_bcrypt`.

If the password and email are correct an access token should be created for the user. To do so, you will need to import function `create_access_token` from `flask_jwt_extended`. This function takes two values as input. The first, `identity`, corresponds to a unique value assigned to each user. This value can be anything we want as long as it is unique and allows us to identify each user. The second value, `expires_delta` defines the duration of the token. Remember that access tokens are meant to expire in time. This parameter controls the time during which a token will be valid for authentication purposes. 

<div class="alert alert-info">
    <b>Exercise 20</b> Write the code to add a <b>LogIn</b> resource for your app. This resource should be routed to url <i>/login</i> and endpoint <i>login</i>. Implement a <b>get</b> method for this resource. Require the user to provide their <i>email</i> and <i>password</i> and write the code to check whether the provided password hash corresponds to the one stored in our <i>user.csv</i> database. If it is, write the code to create an access token which uses the index of the considered user entry in the <i>users.csv</i> database as identidier and which expires in 1 day.</div>

<div class="alert alert-warning">
    In order to define an id for you will need to retrieve the index for each user. Remember that this is a value which is automatically assigned by pandas to every entry in a DataFrame. You can read more about indexing in Pandas <a href="https://pandas.pydata.org/docs/user_guide/indexing.html">here</a>.
</div>

<div class="alert alert-warning">
    To set the duration of the tokens you will need to provide a timestamp value in the right format. You can use the <i>timedelta</i> method from <i>datetime</i> library for that purpose. Rea dmore about this feature <a href="https://docs.python.org/3/library/datetime.html">here</a>.
</div>

In [None]:
# YOUR CODE HERE

<div class="alert alert-info">
    <b>Exercise 21</b> Write the code to make a get request to the <b>login</b> endpoint and log in using your email and password and retrieve your access token. Save your token to a new variable called <b>access_token</b>.</div>

In [None]:
# YOUR CODE HERE

You are almost done now. Only thing left to do is restrict an unauthorized user from adding, editing and deleting the products in our application. To do that, let's add `@jwt_required()` decorator from `flask_jwt_extended` to our endpoints. This protects our endpoints from invalid or expired jwt. 

<div class="alert alert-info">
    <b>Exercise 22</b> Write the code to add the <b>@jwt_required()</b> decorator to the post, put and delete methods. Then make a delete request to the <b>products</b> endpoint using your token and remove entry with <i>productId</i> 20339. What response do you obtain?</div>

In [None]:
# YOUR CODE HERE

To gain access to the methods above, users will have to provide their `access_token` together with all the other required attributes as part of their requests. This will require that you modify the code for your methods to include this information.

<div class="alert alert-info">
    <b>Exercise 23</b> Modify your code for the <b>put</b>, <b>post</b> and <b>delete</b> methods of the <i>products</i> resource, such that users provide a value for argument <i>Authorization</i> as part of the headers of their request.</div>

In [None]:
# YOUR CODE HERE

Now check that everything works as expected.

<div class="alert alert-info">
    <b>Exercise 24</b> Write the code to add the <b>@jwt_required()</b> decorator to the post, put and delete methods. Then make a delete request to the <b>products</b> endpoint using your token and remove entry with <i>productId</i> 20339. What response do you obtain?</div>

In [None]:
# YOUR CODE HERE