### Authentication

The ability for users to log in to your application is one of the most common features you will add to your web application.

This notepad covers how to add authentication to your Flask application using the Flask-Login package.


Here is a diagram that gives an idea of what your project's file structure will look like after completing the tutorial:

```
.
└── flask_auth_app
    └── project
        ├── __init__.py       # setup our app
        ├── auth.py           # the auth routes for our app
        ├── db.sqlite         # our database
        ├── main.py           # the non-auth routes for our app
        ├── models.py         # our user model
        └── templates
            ├── base.html     # contains common layout and links
            ├── index.html    # show the home page
            ├── login.html    # show the login form
            ├── profile.html  # show the profile page
            └── signup.html   # show the signup form
```

### Step 1 — Packages

We will need three main packages for this task:

- Flask

- Flask-Login: to handle user sessions after authentication

- Flask-SQLAlchemy: to represent the user model and as an interface to our database

First, let's start by creating the project directory:

In [None]:
mkdir flask_auth_app

Then, create a new virtual environment (using anaconda):

In [None]:
conda create -n flask_auth

Install the required packages:

In [None]:
conda install flask flask-login

Let's begin by creating a new directory in our folder:

In [None]:
mkdir project

### Step 2 - Main Application

And let's create a file `project/__init__.py` or `project/app.py`.

This file will have the function of creating our application, which will initialize the database and register our blueprints. 

This doesn't do much right now, but it's needed for the rest of our application. 

We need to initialize SQLAlchemy, set some configuration values, and register our blueprints.

In [None]:
# project/app.py

from flask import Flask

def create_app():
    app = Flask(__name__)
    app.config['SECRET_KEY'] = 'secret-key-goes-here'
    app.config['SQLALCHEMY_DATABASE_URI'] = 'sqlite:///db.sqlite'

    # blueprint for auth routes in our app
    from auth import auth as auth_blueprint
    app.register_blueprint(auth_blueprint)

    # blueprint for non-auth parts of app
    from main import main as main_blueprint
    app.register_blueprint(main_blueprint)

    return app

app = create_app()
app.run()

### Step 3 — Adding Routes

We use two blueprints for our routes.

For our main blueprint, we have a home page (/) and a profile page (/profile) for after login.

If the user tries to access the profile page without being logged in, they will be redirected to the login route.

In [None]:
# project/main.py

from flask import Blueprint, render_template

main = Blueprint('main', __name__)

@main.route('/')
def index():
    return render_template('index.html')

@main.route('/profile')
def profile():
    return render_template('profile.html')

In [None]:
# project/auth.py

from flask import Blueprint

auth = Blueprint('auth', __name__)

@auth.route('/login')
def login():
    return 'Login'

@auth.route('/signup')
def signup():
    return 'Signup'

@auth.route('/logout')
def logout():
    return 'Logout'

In a terminal, run:

In [None]:
export FLASK_APP=project
export FLASK_DEBUG=1

Make sure, you're in the directory `flask_auth_app` and run:

In [None]:
flask run

### Step 4 — Creating templates

Let's move on to creating the templates that will be used in our application.

This is the first step before we can implement the actual login functionality.

Our application uses four templates:

- index.html

- profile.html

- login.html

- signup.html

For now, create a new folder in `/project`:

In [None]:
mkdir templates

And create the following files:

In [None]:
<!-- project/templates/base.html -->
<!DOCTYPE html>
<html>

<head>
    <meta charset="utf-8">
    <meta http-equiv="X-UA-Compatible" content="IE=edge">
    <meta name="viewport" content="width=device-width, initial-scale=1">
    <title>Flask Auth Example</title>
    <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/bulma/0.7.2/css/bulma.min.css" />
</head>

<body>
    <section class="hero is-primary is-fullheight">

        <div class="hero-head">
            <nav class="navbar">
                <div class="container">

                    <div id="navbarMenuHeroA" class="navbar-menu">
                        <div class="navbar-end">
                            <a href="{{ url_for('main.index') }}" class="navbar-item">
                                Home
                            </a>
                            <a href="{{ url_for('main.profile') }}" class="navbar-item">
                                Profile
                            </a>
                            <a href="{{ url_for('auth.login') }}" class="navbar-item">
                                Login
                            </a>
                            <a href="{{ url_for('auth.signup') }}" class="navbar-item">
                                Sign Up
                            </a>
                            <a href="{{ url_for('auth.logout') }}" class="navbar-item">
                                Logout
                            </a>
                        </div>
                    </div>
                </div>
            </nav>
        </div>

        <div class="hero-body">
            <div class="container has-text-centered">
               {% block content %}
               {% endblock %}
            </div>
        </div>
    </section>
</body>

</html>

In [None]:
<!-- project/templates/index.html -->


{% extends "base.html" %}

{% block content %}
<h1 class="title">
  Flask Login Example
</h1>
<h2 class="subtitle">
  Easy authentication and authorization in Flask.
</h2>
{% endblock %}

In [None]:
<!-- project/templates/login.html -->

{% extends "base.html" %}

{% block content %}
<div class="column is-4 is-offset-4">
    <h3 class="title">Login</h3>
    <div class="box">
        <form method="POST" action="/login">
            <div class="field">
                <div class="control">
                    <input class="input is-large" type="email" name="email" placeholder="Your Email" autofocus="">
                </div>
            </div>

            <div class="field">
                <div class="control">
                    <input class="input is-large" type="password" name="password" placeholder="Your Password">
                </div>
            </div>
            <div class="field">
                <label class="checkbox">
                    <input type="checkbox">
                    Remember me
                </label>
            </div>
            <button class="button is-block is-info is-large is-fullwidth">Login</button>
        </form>
    </div>
</div>
{% endblock %}

In [None]:
<!-- project/templates/signup.html -->

{% extends "base.html" %}

{% block content %}
<div class="column is-4 is-offset-4">
    <h3 class="title">Sign Up</h3>
    <div class="box">
        <form method="POST" action="/signup">
            <div class="field">
                <div class="control">
                    <input class="input is-large" type="email" name="email" placeholder="Email" autofocus="">
                </div>
            </div>

            <div class="field">
                <div class="control">
                    <input class="input is-large" type="text" name="name" placeholder="Name" autofocus="">
                </div>
            </div>

            <div class="field">
                <div class="control">
                    <input class="input is-large" type="password" name="password" placeholder="Password">
                </div>
            </div>

            <button class="button is-block is-info is-large is-fullwidth">Sign Up</button>
        </form>
    </div>
</div>
{% endblock %}

In [None]:
<!-- project/templates/profile.html -->


{% extends "base.html" %}

{% block content %}
<h1 class="title">
  Welcome, Anthony!
</h1>
{% endblock %}

Next, update `main.py` by changing the import line and routes for index and profile:

In [None]:
# project/main.py
from flask import Blueprint, render_template

main = Blueprint('main', __name__)

@main.route('/')
def index():
    return render_template('index.html')

@main.route('/profile')
def profile():
    return render_template('profile.html')

Now update `auth.py` by changing the import line and routes for login and signup:

In [None]:
# project/auth.py

from flask import Blueprint, render_template

auth = Blueprint('auth', __name__)

@auth.route('/login')
def login():
    return render_template('login.html')

@auth.route('/signup')
def signup():
    return render_template('signup.html')

@auth.route('/logout')
def logout():
    return 'Logout'

### Step 5 - Setting up the database

We need to create a new table in our database to save information about users.

Run the following in the directory `project`:

In [None]:
import sqlite3

con = sqlite3.connect("login.db")
cur = con.cursor()

def create_table():
    cur.execute("CREATE TABLE user(email, password, name)")

### Step 6 — Creating User Models

Our user model represents what it means for our application to have a user.

We have fields for an email address, a password and a name.

Let's go ahead and create this user model:

In [None]:
# project/models.py
import sqlite3
    
class User():
    def __init__(self, db_file):
       self.file = db_file

    def new_user(self, mail, password, name):
        con = sqlite3.connect(self.file) 
        cur = self.con.cursor()
        cur.execute(f"""
                         INSERT INTO user VALUES
                         ('{mail}', '{password}', '{name}')
                         """)
        con.commit()
        con.close()

### Step 7 - Adding Signup Method

In [None]:
# project/auth.py
from flask import Blueprint, render_template, redirect, url_for, request
from models import Login

auth = Blueprint('auth', __name__)

LoginDB = Login("project/login.db")

@auth.route('/login')
def login():
    return render_template('login.html')

@auth.route('/logout')
def logout():
    return 'Logout'

@auth.route('/signup')
def signup():
    return render_template('signup.html')

@auth.route('/signup', methods=['POST'])
def signup_post():
    email = request.form.get('email')
    name = request.form.get('name')
    password = request.form.get('password')

    # create a new user with the form data. Hash the password so the plaintext version isn't saved.
    LoginDB.new_user(email, password, name)

    return redirect(url_for('auth.login'))

### Step 8 - Check if user exists

In [None]:
# project/models.py
import sqlite3
    
class Login():
    def __init__(self, db_file):
       self.file = db_file

    def new_user(self, mail, password, name):
        con = sqlite3.connect(self.file) 
        cur = con.cursor()
        res = cur.execute(f"SELECT email FROM user WHERE email='{mail}'")
        if res.fetchone() is not None:
            # already exists
            con.commit()
            con.close()
            return False
        # create new user
        cur.execute(f"""
                         INSERT INTO user VALUES
                         ('{mail}', '{password}', '{name}')
                         """)
        con.commit()
        con.close()
        return True

In [None]:
# project/auth.py
from flask import Blueprint, render_template, redirect, url_for, request, flash
from models import Login

auth = Blueprint('auth', __name__)

LoginDB = Login("project/login.db")

@auth.route('/login')
def login():
    return render_template('login.html')

@auth.route('/logout')
def logout():
    return 'Logout'

@auth.route('/signup')
def signup():
    return render_template('signup.html')

@auth.route('/signup', methods=['POST'])
def signup_post():
    email = request.form.get('email')
    name = request.form.get('name')
    password = request.form.get('password')

    # create a new user with the form data. Hash the password so the plaintext version isn't saved.
    new_user = LoginDB.new_user(email, password, name)

    if not new_user:
        flash('Email address already exists')
        return redirect(url_for('auth.signup'))

    return redirect(url_for('auth.login'))

Add this to `signup.html` right before the form:

{% with messages = get_flashed_messages() %}
        {% if messages %}
        <div class="notification is-danger">
            {{ messages[0] }}. Go to <a href="{{ url_for('auth.login') }}">login page</a>.
        </div>
        {% endif %}
        {% endwith %}

### Step 9 — Testing the registration method

Now that we have completed the registration method, we should be able to create a new user.

Use the form to create a user.

### Step 10 — Add Login Method

The login method is similar to the registration feature in that we take the user information and do something with it.

In this case, we compare the entered email address to see if it is in the database.

Once the user passes password verification, we know they have the correct credentials and we can log in with Flask login.

By calling login_user, Flask-Login creates a session for that user that persists while the user remains logged in, allowing the user to view protected pages.

We can start with a new route for handling the POSTed files. If the user logs in successfully, we redirect to the profile page.

In [None]:
# project/models.py
import sqlite3
    
class Login():
    def __init__(self, db_file):
       self.file = db_file

    def new_user(self, mail, password, name):
        con = sqlite3.connect(self.file) 
        cur = con.cursor()
        res = cur.execute(f"SELECT email FROM user WHERE email='{mail}'")
        if res.fetchone() is not None:
            con.commit()
            con.close()
            return False
        cur.execute(f"""
                         INSERT INTO user VALUES
                         ('{mail}', '{password}', '{name}')
                         """)
        con.commit()
        con.close()
        return True
    
    def login(self, mail, password):
        con = sqlite3.connect(self.file) 
        cur = con.cursor()
        for row in cur.execute(f"SELECT email, password FROM user WHERE email='{mail}'"):
            password_db = row[1]
        con.close()
        return password == password_db

Add this before the form in `login.html`:

{% with messages = get_flashed_messages() %}
{% if messages %}
    <div class="notification is-danger">
        {{ messages[0] }}
    </div>
{% endif %}
{% endwith %}

### Step 10 — Protect Pages

If your name is not also Anthony, you will find that your name is incorrect.

We want the profile to display the name in the database. 

So first we need to protect the page and then access the user's data to get the name.

To protect a page when using Flask-Login, we add the @login_requried decorator between the route and the function. This prevents a user who is not logged in from seeing the route. If the user is not logged in, the user will be redirected to the login page according to the Flask login configuration.

For routes that have the @login_required decorator, we then have the option of using the current_user object within the function. This current_user represents the user from the database and we can access all the attributes of this user using dot notation. For example, current_user.email, current_user.password and current_user.name, and current_user.id return the actual values stored in the database for the logged in user.

Let's use the current user's name and send it to the template. Then we use that name and display its value.

In [None]:
# add this to project/main.py

@main.route('/profile')
@login_required
def profile():
    return render_template('profile.html', name=current_user.name)

Change `project/templates/profile.html` to:

In [None]:
<!-- templates/profile.html -->


{% extends "base.html" %}

{% block content %}
<h1 class="title">
    Welcome, {{ name }}!
</h1>
{% endblock %}

Add this to `project/auth.py`:

In [None]:
from flask_login import login_user, logout_user, login_required
...
@auth.route('/logout')
@login_required
def logout():
    logout_user()
    return redirect(url_for('main.index'))

Replace the navbar-end tag in `project/templates/base.html` with:

In [None]:
<div class="navbar-end">
    <a href="{{ url_for('main.index') }}" class="navbar-item">
        Home
    </a>
    {% if current_user.is_authenticated %}
    <a href="{{ url_for('main.profile') }}" class="navbar-item">
        Profile
    </a>
    {% endif %}
    {% if not current_user.is_authenticated %}
    <a href="{{ url_for('auth.login') }}" class="navbar-item">
        Login
    </a>
    <a href="{{ url_for('auth.signup') }}" class="navbar-item">
        Sign Up
    </a>
    {% endif %}
    {% if current_user.is_authenticated %}
    <a href="{{ url_for('auth.logout') }}" class="navbar-item">
        Logout
    </a>
    {% endif %}
</div>