flask website with authentication

A Flask website with username, password authentication

A simple website with an index page for logging in and a home page.

Two html templates under the /templates folder

1. index.html

It contains inputs for username and password, a submit button and a dynamic 'message' field that can be set by flask script.

<html>

<button type="submit">Login</button>

</form>

<p>{{message}}<p>

</html>

2. home.html

After logged in, it shows a welcome message and a button for logging out.

<html>

<p>{{message}}<p><br>

<button type="submit">Logout</button>

</form>

</html>

3. the main Flask app.py script

To be able to keep the user's log in status, a session is required.

To keep the session secure, a super secret key is also needed to be set upfront.

If the user has logged in, the session simply keeps the username in it.

If session doesn't have the username in it, it is considered not logged in and direct back to the login page.

The session is maintained on the server side, so the client side can not manipulate it.

The login page (default to /), renders the index.html with a good day message for GET request.

Then the user can type in username, password and submit as a POST request.

If username password are good, it updates the session "session['username'] = username" to indicate that the user has logged in, and redirect to the home page.

Otherwise, it redirect back to the login page with a message 'Invalid username or password')

On the home page, it simply shows a welcome message with the username.

On clicking the logout button, a post request is submitted. The session will be cleared "session.pop('username', None)" and it goes back to login page.

If one go directly to the home page, it checks if the user has logged in "'username' in session". If not simply go back to login page.

from flask import Flask, render_template, request, redirect, url_for, session

app = Flask(__name__)

# for encryting the session / cookie. Change this to a more secure key in production.

app.secret_key = 'super-secret-key'

# Sample user credentials (you would typically store these in a database)

users = {

'user1': 'password1',

'user2': 'password2'

}

# Home page with login form

@app.route('/', methods=['GET', 'POST'])

def login():

if request.method == 'POST':

print(request.form)

username = request.form['user']

password = request.form['password']

if username in users and users[username] == password:

session['username'] = username

return redirect(url_for('home'))

else:

return render_template('index.html', message='Invalid username or password')

else:

return render_template('index.html', message='good day')

# home page accessible after login

@app.route('/home', methods=['GET', 'POST'])

def home():

if 'username' in session: #check if the user has logged in

if request.method == 'POST':

#logout request

session.pop('username', None)

return redirect(url_for('login'))

else:

return render_template('home.html', message='hi {}, welcome to home page'.format(session['username']))