HomeFlask in 5 DaysDay 4
Day 4 of 5
⏱ ~60 minutes
Flask in 5 Days — Day 4

Authentication

User registration, login, and logout with Flask-Login. Password hashing with bcrypt. Protecting routes with @login_required.

Setting Up Flask-Login

Terminal
pip install flask-login flask-bcrypt
app.py
from flask_login import LoginManager, UserMixin, login_user, logout_user, login_required, current_user
from flask_bcrypt import Bcrypt

bcrypt = Bcrypt(app)
login_manager = LoginManager(app)
login_manager.login_view = 'login'  # redirect here if not logged in

# User model must inherit UserMixin
class User(UserMixin, db.Model):
    id = db.Column(db.Integer, primary_key=True)
    username = db.Column(db.String(80), unique=True, nullable=False)
    password_hash = db.Column(db.String(128), nullable=False)

@login_manager.user_loader
def load_user(user_id):
    return User.query.get(int(user_id))
views.py — Register and Login
@app.route('/register', methods=['GET','POST'])
def register():
    if request.method == 'POST':
        hashed = bcrypt.generate_password_hash(request.form['password']).decode('utf-8')
        user = User(username=request.form['username'], password_hash=hashed)
        db.session.add(user)
        db.session.commit()
        return redirect(url_for('login'))
    return render_template('register.html')

@app.route('/login', methods=['GET','POST'])
def login():
    if request.method == 'POST':
        user = User.query.filter_by(username=request.form['username']).first()
        if user and bcrypt.check_password_hash(user.password_hash, request.form['password']):
            login_user(user, remember=True)
            return redirect(url_for('dashboard'))
        flash('Invalid credentials', 'danger')
    return render_template('login.html')

@app.route('/logout')
@login_required
def logout():
    logout_user()
    return redirect(url_for('index'))

@app.route('/dashboard')
@login_required
def dashboard():
    return render_template('dashboard.html', user=current_user)
📝 Day 4 Exercise
Add Auth to Your App
  1. I
  2. m
  3. p
  4. l
  5. e
  6. m
  7. e
  8. n
  9. t
  11. r
  12. e
  13. g
  14. i
  15. s
  16. t
  17. e
  18. r
  19. ,
  21. l
  22. o
  23. g
  24. i
  25. n
  26. ,
  28. a
  29. n
  30. d
  32. l
  33. o
  34. g
  35. o
  36. u
  37. t
  38. .
  40. H
  41. a
  42. s
  43. h
  45. p
  46. a
  47. s
  48. s
  49. w
  50. o
  51. r
  52. d
  53. s
  55. w
  56. i
  57. t
  58. h
  60. b
  61. c
  62. r
  63. y
  64. p
  65. t
  66. .
  68. P
  69. r
  70. o
  71. t
  72. e
  73. c
  74. t
  76. t
  77. h
  78. e
  80. d
  81. a
  82. s
  83. h
  84. b
  85. o
  86. a
  87. r
  88. d
  90. r
  91. o
  92. u
  93. t
  94. e
  96. w
  97. i
  98. t
  99. h
  101. @
  102. l
  103. o
  104. g
  105. i
  106. n
  107. _
  108. r
  109. e
  110. q
  111. u
  112. i
  113. r
  114. e
  115. d
  116. .
  118. S
  119. h
  120. o
  121. w
  123. t
  124. h
  125. e
  127. c
  128. u
  129. r
  130. r
  131. e
  132. n
  133. t
  135. u
  136. s
  137. e
  138. r
  139. '
  140. s
  142. u
  143. s
  144. e
  145. r
  146. n
  147. a
  148. m
  149. e
  151. i
  152. n
  154. t
  155. h
  156. e
  158. n
  159. a
  160. v
  161. .

Day 4 Summary

  • UserMixin adds is_authenticated, is_active, get_id() to your User model.
  • Always hash passwords. generate_password_hash(pw) → stored hash. check_password_hash(hash, pw) → True/False.
  • @login_required redirects unauthenticated users to login_manager.login_view.
  • current_user is available in all views and templates when Flask-Login is set up.
← Previous
Day 3: Forms and Validation
Next →
Day 5: REST API and Deploy
Finished this lesson?