Large app how to

Jon Stutters edited this page Jul 28, 2015 · 64 revisions
Clone this wiki locally

This document is unofficial! It includes advice taken from many unofficial resources and never went through some sort of review process. The practices described here may be useful, but at the same time they might be dangerous too. Please keep that in mind, and do NOT add any additional information to this document. Instead, use your own site or blog. This page is kept just because many StackOverflow answers still refer to it.

This document is an attempt to describe the first step of a large project structure with flask and some basic modules:

  • SQLAlchemy
  • WTForms

Please feel free to fix and add your own tips.



Flask Installation
I recommend using virtualenv: it is easy and allows multiple environments on the same machine and doesn't even require you to have super user rights on the machine (as the libs are locally installed).


SQLAlchemy provides an easy and advanced way to serialize your object to different types of relational databases. In your virtualenv, install Flask-SQLAlchemy from pip:

pip install flask-sqlalchemy

More here about the Flask-SQLAlchemy package


WTForms provides an easy way to handle user's data submission.

pip install Flask-WTF

More here about the Flask-WTF package


Ok, so from now, we should have all the libs ready. Here are the folder structures:


For every module (or sub app... ) we'll have this file structure (here for the users module)


For every module that needs templating (jinja) we store those in the templates folder + module directory.


You should serve your static files with a dedicated http server, but during the development, we'll let flask serve them. Flask will automagically serve static files from the static/ folder. If you want to use another folder... you can read about that here:


We'll create 4 modules, a user module (manage user's registration, login, lost password, profile edit and maybe third-party login/registration) an emails module intended to be used by a queuing server, and a posts and comments modules.


/ will be used to launch the web server.

    from app import app

/ will allow you to get a console and enter commands within your flask environment. Maybe not as nice as debugging with pdb, but always useful (when you will initialize your database).

    #!/usr/bin/env python
    import os
    import readline
    from pprint import pprint

    from flask import *
    from app import *

    os.environ['PYTHONINSPECT'] = 'True'

/ will be storing all the module configurations. Here, the database is setup to use SQLite, because it's a very convenient dev env database. Most likely / won't be a part of your repository and will be different on your test and production servers.

    import os
    _basedir = os.path.abspath(os.path.dirname(__file__))

    DEBUG = False

    ADMINS = frozenset([''])
    SECRET_KEY = 'This string will be replaced with a proper key in production.'

    SQLALCHEMY_DATABASE_URI = 'sqlite:///' + os.path.join(_basedir, 'app.db')


    WTF_CSRF_SECRET_KEY = "somethingimpossibletoguess"

    RECAPTCHA_OPTIONS = {'theme': 'white'}
  • _basedir is a trick for you to get the folder where the script runs
  • DEBUG indicates that it is a dev environment, you'll get the very helpful error page from flask when an error occurs.
  • SECRET_KEY will be used to sign cookies. Change it and all your users will have to login again.
  • ADMINS will be used if you need to email information to the site administrators.
  • SQLALCHEMY_DATABASE_URI and DATABASE_CONNECT_OPTIONS are SQLAlchemy connection options (hard to guess)
  • THREADS_PER_PAGE my understanding was 2/core... might be wrong :)
  • WTF_CSRF_ENABLED and WTF_CSRF_SECRET_KEY are protecting against form post fraud
  • RECAPTCHA_* WTForms comes with a RecaptchaField ready to use... just need to go to recaptcha website and get your public and private key.

First module

We'll start with the users modules. In order, we'll define the models, the constants linked to this model, the form and finally the first view and its template.

First model (and its constants file)

The /app/users/

    from app import db
    from app.users import constants as USER

    class User(db.Model):

        __tablename__ = 'users_user'
        id = db.Column(db.Integer, primary_key=True)
        name = db.Column(db.String(50), unique=True)
        email = db.Column(db.String(120), unique=True)
        password = db.Column(db.String(120))
        role = db.Column(db.SmallInteger, default=USER.USER)
        status = db.Column(db.SmallInteger, default=USER.NEW)

        def __init__(self, name=None, email=None, password=None):
 = name
 = email
          self.password = password

        def getStatus(self):
          return USER.STATUS[self.status]

        def getRole(self):
          return USER.ROLE[self.role]

        def __repr__(self):
            return '<User %r>' % (

and its constants in the /app/users/ file:

    # User role
    ADMIN = 0
    STAFF = 1
    USER = 2
    ROLE = {
      ADMIN: 'admin',
      STAFF: 'staff',
      USER: 'user',

    # user status
    INACTIVE = 0
    NEW = 1
    ACTIVE = 2
    STATUS = {
      INACTIVE: 'inactive',
      NEW: 'new',
      ACTIVE: 'active',

First about the constants file, I like to have my constants in their own file and inside my module for 2 main reasons. Your constants will probably be used in your models, forms and views. The second reason is that it's a better organization for you to find them. Also, importing your constants as the module in uppercase indicates the constant type and the module name (like USER for users.constants) will help you avoid name conflicts.

First form

Now that we've done our object model, time to build the form that goes with it. We'll start with a registration and login form. The registration form will request the user's name, email and password. We'll use validators to ensure the user submitted correct values. Finally, a Recaptcha field (provided by flask) will avoid machine registration. Just in case you plan on having a Terms of Service, I added a BooleanField called accept_tos. Since this field is required, the user will have to check the checkbox generated by this field on the box. The login form will have only email and password with the same validators. Here's the /app/users/ file:

    from import Form, RecaptchaField
    from wtforms import TextField, PasswordField, BooleanField
    from wtforms.validators import Required, EqualTo, Email

    class LoginForm(Form):
      email = TextField('Email address', [Required(), Email()])
      password = PasswordField('Password', [Required()])

    class RegisterForm(Form):
      name = TextField('NickName', [Required()])
      email = TextField('Email address', [Required(), Email()])
      password = PasswordField('Password', [Required()])
      confirm = PasswordField('Repeat Password', [
          EqualTo('password', message='Passwords must match')
      accept_tos = BooleanField('I accept the TOS', [Required()])
      recaptcha = RecaptchaField()

The first parameter for the field is the label we'll want to display for it. For example the name field will be labelled as NickName on the form. For the password fields, another useful validator got used here, EqualTo, it compares the data contained in the current field with the data of the other specified field.

For more details of what can be done with WTForms check here.

First view

The view is where we'll declare our Blueprint. Using url_prefix will prefix every url you set using route. A nice feature from Flask-WTF is the form.validate_on_submit method: it checks that the current request is a POST and that the form validates. Once the user is logged in we want to redirect the user to his profile (/users/me/). To prevent unauthenticated users to access this page, we'll create a decorator to protect it (/app/users/

    from functools import wraps

    from flask import g, flash, redirect, url_for, request

    def requires_login(f):
      def decorated_function(*args, **kwargs):
        if g.user is None:
          flash(u'You need to be signed in for this page.')
          return redirect(url_for('users.login', next=request.path))
        return f(*args, **kwargs)
      return decorated_function

This decorator is checking that g.user has a value assigned to it, otherwise it means that the user isn't authenticated, we then add a message to be displayed to the user on the next page and redirect him to the login view. You probably wonder how g.user gets defined, it's in the user's, through the before_request. You'll realize later that if you pull a lot of information from your user's profile (historical data, friends, messages, activities...) this might become a bottle neck and caching user through their id might be a good solution (as long as you centralize your object modifications and clear this cache on every update). Following are the views definition in /app/users/

    from flask import Blueprint, request, render_template, flash, g, session, redirect, url_for
    from werkzeug import check_password_hash, generate_password_hash

    from app import db
    from app.users.forms import RegisterForm, LoginForm
    from app.users.models import User
    from app.users.decorators import requires_login

    mod = Blueprint('users', __name__, url_prefix='/users')

    def home():
      return render_template("users/profile.html", user=g.user)

    def before_request():
      pull user's profile from the database before every request are treated
      g.user = None
      if 'user_id' in session:
        g.user = User.query.get(session['user_id'])

    @mod.route('/login/', methods=['GET', 'POST'])
    def login():
      Login form
      form = LoginForm(request.form)
      # make sure data are valid, but doesn't validate password is right
      if form.validate_on_submit():
        user = User.query.filter_by(
        # we use werzeug to validate user's password
        if user and check_password_hash(user.password,
          # the session can't be modified as it's signed, 
          # it's a safe place to store the user id
          session['user_id'] =
          flash('Welcome %s' %
          return redirect(url_for('users.home'))
        flash('Wrong email or password', 'error-message')
      return render_template("users/login.html", form=form)

    @mod.route('/register/', methods=['GET', 'POST'])
    def register():
      Registration Form
      form = RegisterForm(request.form)
      if form.validate_on_submit():
        # create an user instance not yet stored in the database
        user = User(,, \
        # Insert the record in our database and commit it

        # Log the user in, as he now has an id
        session['user_id'] =

        # flash will display a message to the user
        flash('Thanks for registering')
        # redirect user to the 'home' method of the user module.
        return redirect(url_for('users.home'))
      return render_template("users/register.html", form=form)

First template

Jinja is integrated within Flask. One of the great features of Jinja is the inheritance and the logic available (conditional structure, loop, context modification...). We'll create a /app/templates/base.html template which we'll inherit from, on each of our templates. You can even have more than 1 inheritance (like having your template inheriting from twocolumn.html template which itself inherits from main.html). The base template is also a good place to display flash messages (get_flashed_messages), so every template will now display messages when needed.

        <title>{% block title %}My Site{% endblock %}</title>
        {% block css %}
        <link rel="stylesheet" href="/static/css/reset-min.css" />
        <link rel="stylesheet" href="/static/css/main.css" />
        {% endblock %}
        {% block script %}
        <script src="/static/js/main.js" type="text/javascript"></script>
        {% endblock %}
        <div id="header">{% block header %}{% endblock %}</div>
        <div id="messages-wrap">
          <div id="messages">
            {% for category, msg in get_flashed_messages(with_categories=true) %}
              <p class="message flash-{{ category }}">{{ msg }}</p>
            {% endfor %}
        <div id="content">{% block content %}{% endblock %}</div>
        <div id="footer">{% block footer %}{% endblock %}</div>

Now we won't have to redefine our html structure anymore, and any modification done on base.html will be visible on all your child templates. Here is the /app/templates/users/register.html template (It's a good habit to use the view name for the template file name).

    {% extends "base.html" %}
    {% block content %}
      {% from "forms/macros.html" import render_field %}
      <form method="POST" action="." class="form">
        {{ form.csrf_token }}
        {{ render_field(, class="input text") }}
        {{ render_field(, class="input text") }}
        {{ render_field(form.password, class="input text") }}
        {{ render_field(form.confirm, class="input text") }}
        {{ render_field(form.accept_tos, class="input checkbox") }}
        {{ form.recaptcha }}
        <input type="submit" value="Register" class="button green">
      <a href="{{ url_for('users.login') }}">Login</a>
    {% endblock %}

and here is the /app/templates/users/login.html template:

    {% extends "base.html" %}
    {% block content %}
      {% from "forms/macros.html" import render_field %}
      <form method="POST" action="." class="form">
        {{ form.csrf_token }}
        {{ render_field(, class="input text") }}
        {{ render_field(form.password, class="input text") }}
        <input type="submit" value="Login" class="button green">
      <a href="{{ url_for('users.register') }}">Register</a>
    {% endblock %}

Those templates will use a macro to automate the construction of html fields. This macro will be stored in /app/templates/forms/macros.html (since this macro will be called in different modules, we'll store it in a separated file).

    {% macro render_field(field) %}
        <div class="form_field">
        {{ field.label(class="label") }}
        {% if field.errors %}
            {% set css_class = 'has_error ' + kwargs.pop('class', '') %}
            {{ field(class=css_class, **kwargs) }}
            <ul class="errors">{% for error in field.errors %}<li>{{ error|e }}</li>{% endfor %}</ul>
        {% else %}
            {{ field(**kwargs) }}
        {% endif %}
    {% endmacro %}

Finally, a simple /app/templates/users/profile.html:

   {% extends "base.html" %}
   {% block content %}
     Hi {{ }}!
   {% endblock %}

Setting up the app

Here is the /app/ :

    import os
    import sys

    from flask import Flask, render_template
    from flask.ext.sqlalchemy import SQLAlchemy

    app = Flask(__name__)

    db = SQLAlchemy(app)

    # Configure Secret Key #
    def install_secret_key(app, filename='secret_key'):
        """Configure the SECRET_KEY from a file
        in the instance directory.

        If the file does not exist, print instructions
        to create it from a shell with a random key,
        then exit.
        filename = os.path.join(app.instance_path, filename)

            app.config['SECRET_KEY'] = open(filename, 'rb').read()
        except IOError:
            print('Error: No secret key. Create it with:')
            full_path = os.path.dirname(filename)
            if not os.path.isdir(full_path):
                print('mkdir -p {filename}'.format(filename=full_path))
            print('head -c 24 /dev/urandom > {filename}'.format(filename=filename))

    if not app.config['DEBUG']:

    def not_found(error):
        return render_template('404.html'), 404

    from app.users.views import mod as usersModule

    # Later on you'll import the other blueprints the same way:
    #from app.comments.views import mod as commentsModule
    #from app.posts.views import mod as postsModule

Our SQLAlchemy db instance and models (User) are separated in two files, you need import both of them into namespace, which is done by from app.users.views import mod as usersModule implicitly. Otherwise the db.create_all() will do nothing.

Let's activate your virtualenv and initialize your database:

user@Machine:~/Projects/dev$ . env/bin/activate
(env)user@Machine:~/Projects/dev$ python 
>>> from app import db
>>> db.create_all()
>>> exit()

now you can go in your root and run python ... this should give you something like this:

(env)user@Machine:~/Projects/dev$ python 
 * Running on
 * Restarting with reloader

Open your web-browser at [], you should be redirected to the login page and see a link to the register page.