Python Flask Tutorial: Full-Featured Web App Part 6 - User Authentication

11:43
Corey: "This is the first time we see an error screen like this"
Me:*nervous laughing* "Yeah first time"

For anyone wondering how validate_username() and validate_email() are being called, these functions are called with the FlaskForm class that our RegistrationForm class inherited from. If you look at the definition for validate_on_submit(), and from there, the definition for validate(), that validate function contains the following line:
inline = getattr(self.__class__, 'validate_%s' % name, None)
There is a lot going on in the background, but from what I can tell, Flask is checking for extra functions created with the naming pattern: "validate_(field name)", and later calling those extra functions. Correct me if I'm wrong.

To anyone reading this, I want to say that these tutorials are much much better than any paid content on Udemy, etc. Corey, I cannot thank you enough for all your efforts and patience in creating this amazing content. I am currently unemployed and I'm trying hard to learn full stack dev on Python and upskill myself . I promise I will contribute to your channel the moment I receive my first salary. I mean it. Once again, thank you so so so so much for everything you do Corey. May god bless you.

@9:55
The 2023_c version is:
from import app, db
app.app_context().push()
from .models import User
user = User.query.first()

At around (34:00) or so as you are putting in the logout stuff, you could also use:
Logout {{current_user.username}}
in the layout.html. This will display the userid you are logged with. When you are testing, it's REALLY nice to know who the heck you are logged in as.

These are excellent videos. Its not a step by step as that would be A-Z with no issues. He brings you through all of the concepts, and shows you why things need to be done a certain way by highlighting errors and sometimes making them on purpose. Great teacher

For anyone wondering why the navbar login/register links are left-aligned, it's because you might be using Bootstrap 5. Simply add the div class ms-auto next to navbar-nav.

Corey It was great to meet you at Pycon! I really appreciate how you incorporate important knowledge gems throughout the tutorial so that we understand the reasons behind the steps and potential problems that may be encountered. And yet manage to avoid the clutter. Thanks so much! To show my appreciation, I donated via paypal :)

28:01 Just wanted to point out a little shortcut: there is no need to add an "else" statement after hitting a "return" statement inside the previous "if" on line 53. Since the function will return, the rest of it will not be evaluated after that point. This is obviously no big deal, but it is a small detail that's useful especially when trying to maintain the length of the lines under 80 characters since you end up with less indentation!
Thank you Corey, I'm learning a lot from this series!

These tutorials are so thorough... Covers so many cases that other tutorials just brush over or simply skip. Thank you SO MUCH!

Outstanding video! Thank you so much! I am a high school senior working on an engineering capstone project. We are making a tool to facilitate people's college applications. Since it uses machine learning, we chose Python over PHP for this task, which makes Flask very useful. Your tutorials on the login system and database have been extremely helpful (I originally did some MySQL queries by hand, but this is much cleaner and easier). Cheers!

just wanna say thank you from Nepal

"Hey there how's it going everybody"

Whenever I think to write a comment on this. I need to think with what words should I grateful to Corey. All things that you explains are much much cleaner and clear. So happy and thankful to you.

thank you so much! I'm 15 and I've been struggling with this thinking it's high end programmer ish...but your explanation helped me a lot❤. Everyone deserves a teacher like you💖God bless u Corey

I wish I could give thousand likes in this videos, these contents are much better than most of the paid contents available. Thanks a ton Corey for making our lives easier thru these awesome tutorials

11:42 "This is the first time we've seen an error like this"
that actually made me laugh I've had at least 10 different errors page only in those first 6eps.

Corey, your tutorials are gold. I'm having real fun following along and it makes me excited to be programming an actual website. The videos are a constant bombardment of useful information. Good pace, good content, good quality. Thanks for the series on flask!

There is a ton of information in this one video. I am going to have to watch this one over and over while building a site. Some of the things that these classes and functions are doing is confusing and it would be helpful if you explained how they function. Thank you for creating this video series.

I love when he says "our server is still running so that's good"

I don't know why I feel proud when corey's server stops running and mine doesn't

Corey..Not sure How much research you have done...Excellent presentation

Corey, your videos are amazing, thank you! im learning flask ASAP to get ready for a job i got called in to interview for that needs me to know flask! THIS IS HELPING LOTS!!

I haven't finished the series yet, but I hope we can get into user accounts vs admin accounts with different permissions, or if you haven't made a video of that yet, it would be amazing if you did!! Everything clicks so easily the way you teach it!! I really enjoy it!! thank you Corey!!

Once in a while you encounter a page, where afer login, you get thrown of the tracks you have been surfing. Seeing how it's implemented under the hood is really fascinating. Thank you, proud supporter.

44:44 this is a bit neater and safer
if next_page and not is_safe_url(next_page):
return flask.abort(400)
return redirect(next_page or url_for('home'))
Anyway, Thanks Corey for this excellent content!

successfully completed 6 videos during a day! thanks i have target to complete all in a one day

thank you sir for writing this, i'm followed alone and your tutorial really helped me
From Taiwan

by far the best flask explanation out there in youtube

11:42 Oh Corey you have so much faith in us!

Well, I'm following this course from the first video and it's always amazing and so valuable information. Thx Corey ! You are amazing !
Just for the record, I've been checking the flask documentation on login (flask-login.readthedocs.io/en/latest/#login-example), and noticed this warning :
Warning: You MUST validate the value of the next parameter. If you do not, your application will be vulnerable to open redirects. For an example implementation of is_safe_url see this Flask Snippet.
The link to the "spinnet" is unfortunatly broken and after some research I found this very interesting post on Stackoverflow which gives more information on the issue, and also gives the link to the ressource. I don't understand everything, but I got that this is an important issue (maybe for more experienced users so Corey didn't want to put too much information here). Anyway, it looks like an important security issue, and if someone can give me a feedback on it, it would be very appreciated :) ! I actually have two questions :
- How to implement the "is_safe_url" solution ? I'm new in code and don't really understand it..
- Given this comment on the snippet page : "Please note that redirecting like this is vulnerable to the Open Redirect Vulnerability (homakov.blogspot.com/2014/01/evolution-of-open-redirect-vulnerability.html) due to the way that python's urlparse module parses URLs", which I don't really understand (neither), I was wondering if the "is_safe_url" solution is relevant, and if not, how to face this security issue.
Sorry for the endless comment.. Hope this will be useful for others, and hope someone will come with an answer :) ! One more time, you're a rockstar Corey, great job for these videos !

Ive been searching a lot for finding a really helpful education packages to learn the python , thank god one of you videos popped up and yeah im here everyday! as my breakfast im having some Corey !Thank you So much for Making awesome tutorials i got a 10-year Plan, at the end of the plan everyone will meet a new concept of coding, Every time i will Appreciate your helps, i will always be thankful

If you notice carefully, you see 127.0.0.1:5000/login?next=%2Faccount in the URL when you are not logged in and visit 127.0.0.1:5000/account. The Flask is making a note of where to take the user once login is done.
I originally did using current_user.is_authenticated and was doing manual re-directs. But then saw this and realized why login_required is best to use here.
Corey, you are the best!

Big up YOU mr. Corey Schafer!!!!!!!!

I bought some python courses on Udemy and some of them were good, others ok. This series is far better than a popular Udemy course on Flask (despite thousands of reviews and 4.7 stars). You should be making more revenue from this - I would suggest mid-roll ads every 15 mins is reasonable (given this content is free) and at the same time users can also take a quick break! Thanks for sharing your knowledge!

best instructor in you tube for python

I swear I learned so much from you more than my 3 years in college

Corey, I love the whole series. I also started with Mega Tutorial from Miguel, but that one here from you is much easier to follwo. Excellent work!

Best Tutorial in youtube, I don't even found this quality full tutorial in Udemy.

This is an awesome tutorial, really clear, well organized, and jargon free!

COREY I DONT KNOW HOW TO THANK YOU BRO! you make the best python tutorial ever... Thanks so much

this tutorial series about flask is great thank you much. you did a great job here.

Excellent series! Really appreciate your clear, concise, explanations! Keep up the awesome work!

Awesome tutorial. Super. Very detailed explanation and added the new features also. Thank you so much for making the videos on Flask.

Thanks for this!! Even years after, you are an amazing teacher.

the best guide in the internet!

Please do a video on cookies and session.. plz plz

Saw lots of tutorials, this one (as whole) is by far - the best. Thanks a lot Corey. subscribed.

No comment . Respect man ✊

I am using pycharm in following these excellent tutorials. Pycharm was complaining about line 42 in routes.py on the line.
user = User(username=form.username.data, email=form.email.data, password=hashed_pw)
It said that there were unexpected arguments. Yet everything worked fine.
What I figured out was:
1. A class does not require an __init__ method. (The User class in models.py does not contain an __init__ method)
2. If I added an __init__ method to the User class, pycharm stops complaining.
def __init__(self, username, email, password):
self.username = username
self.email = email
self.password = password
I think, I like the change because it makes the code more explicit. I don't like that it adds more code, but I guess you can't have everything.
Thanks for all the great content.

Excellent Python tutorials, one if the best out there by far, great work Corey

I also followed -Miguel Grinberg , but your videos are much better for a beginner.

Hi
Very interesting tutorial will use elements of this for my own work. One element which you should consider is a remove function. As a curtesy to the user who has been registered, I believe it is mandatory to have a functionality which removes any personal data from the database if this registered user wants to do so. Using the tools you demonstrated it is quite simple but I feel it is an important message to the viewers of your tutorial, and most likely easy forgotten.

Really a good explanation it was since 2018 and we are 2022 but it is still a good explanation for Flask!

45:00 In this case you could just write return redirect(next_page or 'home')

iam getting an error like "sqlite3.OperationalError: no such table: user"
can someone help me here ??
edit: corrected, add db.create_all() at top of the routes.py file

I've done a Flask course with a well known python training provider that cost 40-50 dollars, this was much better.

Validation from the form is soo cool feature.

Wow.this is wonderful tutorial and helpful to us

Thank you so much @Corey Schafer for making such educational, easy to understand and follow videos for all of us. I've been following your channel since 2 years and I've learned a lot from you.
I do have one minor doubt which I couldn't find a solution for anywhere. My alert boxes are not coming in colored style. They're simple plain texts. I looked up bootstrap docs and they're pretty much same to what you've written. It'd be great if anyone can solve this issue as it gives me a little anxiety that my code is not correct :/ :p

Great Video! Having a lot of fun in this series.

i enjoy your lessons every day!

The best flask tutorial on the web. Thanks a lot.

Corey: We don't wanna store passwords as a plain text
Facebook: Hold my beer

We can also use dict get function this way,
if form.validate_on_submit():
...
next_page = request.args.get('next', 'home')
return redirect(next_page)
so if next arg doesn't exists it returns home.

i learned python and flask cuz of you
thanks BRO

Great tutorial from Corey Schafer, thank's a lot mate.
However, it being a bit outdated concerning the flask_wtf and the audience being beginners, I would encourage people to use the html forms, and use the "request" module from flask.
You guys should switch out to Tech With Tim and his flask serie for the form part, and go back to corey afterwards (cause I believe corey did a better job overall to lead to a solid blog).
+ I believe rewriting code that has been made is dumb, but when it comes to validators I think as a dev you should have a perfect control over it, so it's not that dumb to write your own functions for that and send your own messages.
If anyone is having trouble with flask forms I would love to help in the comments.
Good learning everyone, and thank's again to you corey.

Just one Problem : i did. Fallow ur series , I understand 1000% everything, I did even Code it. 2 times besides -> without ur tutorial I m lost 😞 , can’t do something by my self

Thanks for this course it's very clear and helpful for beginners, as well as to brush up flask skills. Keep posting good content 👌

wow! very nicely explained man! Thanks!

very good sharing

Thanks for the wonderful tutorial! I'm not clear for this lesson, we just add two function "validate_username" and "validate_email" for the RegisterForm class, but we didn't even call the two functions. How it can take effect ?

@Corey! This is very great! Easy to follow and understand. I learned a lot from these videos what I had never used before :)

Your videos are really good .Best when it comes flask section.Though can I add you a suggestion.It will always be better to summarize the topics within 2min after a long video session

According the the Flask-Login documentation "You MUST validate the value of the next parameter. If you do not, your application will be vulnerable to open redirects." It recommends to use 'is_safe_url' after 'next = flask.request.args.get('next')', as follows:
next = flask.request.args.get('next')
if not is_safe_url(next):
return flask.abort(400)
I was wondering why you are not using it?

at 8:40
Remember to register only after you have run db.create_all() once, otherwise the tables defined in your models have not been intialized yet since at this point we have not included that command in the flask app files yet. If db.create_all() hasn't been run before you register and you try to check for the user you just registered you are going to get an error like the following:
Operational error : No such table : user

This is a great video!
POTENTIAL SECURITY ISSUE - when doing the validate_username (or whatever you're tying to validate to protect against duplicates, in my case email address) you should validate against an exact match. For example, someone could register with Corey and corey in your example. For those using email as the username, foo@bar.com would register, but so would Foo@bar.com or fOo@bar.com... This could be a very big security issue... Tricking users, or perhaps signing up with the same email as the 'admin' but changing a letter to be uppercase could result in a password reset.
In forms.py - from sqlalchemy import func.
Change user = User.query.filter_by(email=email.data).first() TO: user=User.query.filter_by(email=func.lower(email.data)).first())

At 10:41 I wondered why the password wasn't showing. Just figured out it's because of the user class representing a user by only showing username, email and profile picture. Hope to help some folks wondering the same!

Question:
at 29:03 ,
I've checked and double checked but for some reason, while the page is running, I'm not seeing the error flash for when the provided credentials are bad
@app.route("/login", methods=['GET', 'POST'])
def login():
form = LoginForm()
if form.validate_on_submit():
user = User.query.filter_by(email=form.email.data)
if user and bcrypt.check_password_hash(user.password, form.password.data):
login_user(user, remember=form.remember.data)
return redirect(url_for('index'))
else:
flash('Login Unsuccessful. Please check username and password', 'danger')
return render_template('login.html', title='Login', form=form) # we have access to the form instance we created
result, while credentials are being taken, no flash warning is showing that they're invalid.
any syggestions?

This video is so helpful for understanding and implementing session management

What a satisfying episode. Thanks Corey! Your content is superb. By the way, is the Django series in the works? Really looking forward to that.

Hey, the ValidationError message is not showing when I'm doing it, it's just highlighting that section. How can I print the message?

You deserve a medal

so just to clarify w hashed passwords, it basically adds an extra layer of protection bc a hacker who has access to the database would just get a hashed password instead of the actual password...and hackers can even use the check password method you showed on the video, but then that would be an extra step for hackers, and takes more time, so hashing is not entirely safe right?

How can I display the user's name next to the logout button when s/he's logged in? I've tried {{ user.username }} in the layout.html, but that doesn't work.
/e: oops it works with {{ current_user.username }}

very in-depth tutorial. i can't thank you enough!!!!!!!

Excellent tutorial, thanks!

at this point I'm learning so much that I'm starting to feel guilty not being a Patreon supporter

These videos are gems.

so so happy, please publish more of a python stuff, like commerce games, online accounts etc

Didnt know there was a turnarary in python, thanks Corey.

The best content ever. Thanks a lot!

These videos are so good! Love how Corey explains concepts and builds real-world apps at the same time. I have a question though if anyone's still around to answer (I see most comments are over a year old). I noticed that if the user sets the "next" param to an arbitrary value like "?next=%2Fxyz" and then successfully logs in, the flask app panics and displays a BuildError screen (when run in debug mode). Does anyone know how to handle that gracefully?

4:31 : import Bcrypt
8:17 : user registration
17:35 : custom validation for form fields
20:10 : install flask-login
21:01 : setup flask login

these tutorials are fire, thank you

This is a wow video...Thank you so much

Good job, your explainations are excellent.

this was a great series

This series is helpful

Did anyonr got an Operational Error from sqlite after Signing up the registration form , I am unable to resolve the error