Implement user login based on sessions

Use Flask-Login & Flask-WTF libraries
2021-12-28 09:39:12 +01:00 · 2021-12-28 09:39:12 +01:00 · 3af67fee01
parent 95cc6f5e94
commit 3af67fee01
6 changed files with 119 additions and 9 deletions
--- a/ereuse_devicehub/forms.py
+++ b/ereuse_devicehub/forms.py
@ -0,0 +1,62 @@
 from flask_wtf import FlaskForm
 from werkzeug.security import generate_password_hash
 from wtforms import EmailField, PasswordField, validators
 from ereuse_devicehub.resources.user.models import User
 class LoginForm(FlaskForm):
    email = EmailField('Email Address', [validators.Length(min=6, max=35)])
    password = PasswordField('Password', [
        validators.DataRequired(),
    ])
    error_messages = {
        'invalid_login': (
            "Please enter a correct email and password. Note that both "
            "fields may be case-sensitive."
        ),
        'inactive': "This account is inactive.",
    }
    def validate(self, extra_validators=None):
        is_valid = super().validate(extra_validators)
        if not is_valid:
            return False
        email = self.email.data
        password = self.password.data
        self.user_cache = self.authenticate(email, password)
        if self.user_cache is None:
            self.form_errors.append(self.error_messages['invalid_login'])
            return False
        return self.confirm_login_allowed(self.user_cache)
    def authenticate(self, email, password):
        if email is None or password is None:
            return
        user = User.query.filter_by(email=email).first()
        if user is None:
            # Run the default password hasher once to reduce the timing
            # difference between an existing and a nonexistent user (#20760).
            generate_password_hash(password)
        else:
            if user.check_password(password):
                return user
    def confirm_login_allowed(self, user):
        """
        Controls whether the given User may log in. This is a policy setting,
        independent of end-user authentication. This default behavior is to
        allow login by active users, and reject login by inactive users.
        If the given user cannot log in, this method should raise a
        ``ValidationError``.
        If the given user may log in, this method should return None.
        """
        if not user.is_active:
            self.form_errors.append(self.error_messages['inactive'])
        return user.is_active
--- a/ereuse_devicehub/resources/user/models.py
+++ b/ereuse_devicehub/resources/user/models.py
@ -1,7 +1,7 @@
 from uuid import uuid4
 from citext import CIText
 from flask import current_app as app
 from flask_login import UserMixin
 from sqlalchemy import Column, Boolean, BigInteger, Sequence
 from sqlalchemy.dialects.postgresql import UUID
 from sqlalchemy_utils import EmailType, PasswordType
@ -13,7 +13,7 @@ from ereuse_devicehub.resources.models import STR_SIZE, Thing
 from ereuse_devicehub.resources.enums import SessionType
-class User(Thing):
+class User(UserMixin, Thing):
    __table_args__ = {'schema': 'common'}
    id = Column(UUID(as_uuid=True), default=uuid4, primary_key=True)
    email = Column(EmailType, nullable=False, unique=True)
@ -66,6 +66,15 @@ class User(Thing):
            return
        return self.email.split('@')[0].split('_')[1]
    @property
    def is_active(self):
        """Alias because flask-login expects `is_active` attribute"""
        return self.active
    def check_password(self, password):
        # take advantage of SQL Alchemy PasswordType to verify password
        return self.password == password
 class UserInventory(db.Model):
    """Relationship between users and their inventories."""
--- a/ereuse_devicehub/templates/ereuse_devicehub/user_login.html
+++ b/ereuse_devicehub/templates/ereuse_devicehub/user_login.html
@ -22,22 +22,30 @@
                <div class="pt-4 pb-2">
                  <h5 class="card-title text-center pb-0 fs-4">Login to Your Account</h5>
                  <p class="text-center small">Enter your username & password to login</p>
                  {% if form.form_errors %}
                  <p class="text-danger">
                    {% for error in form.form_errors %}
                      {{ error }}<br/>
                    {% endfor %}
                  </p>
                  {% endif %}
                </div>
-                <form class="row g-3 needs-validation" novalidate>
+                <form method="post" class="row g-3 needs-validation" novalidate>
                  {{ form.csrf_token }}
                  <div class="col-12">
-                    <label for="yourUsername" class="form-label">Username</label>
+                    <label for="yourUsername" class="form-label">Email</label>
                    <div class="input-group has-validation">
                      <span class="input-group-text" id="inputGroupPrepend">@</span>
-                      <input type="text" name="username" class="form-control" id="yourUsername" required>
+                      <input type="text" name="email" class="form-control" id="yourUsername" required value="{{ form.email.data|default('', true) }}">
                      <div class="invalid-feedback">Please enter your username.</div>
                    </div>
                  </div>
                  <div class="col-12">
                    <label for="yourPassword" class="form-label">Password</label>
-                    <input type="password" name="passwword" class="form-control" id="yourPassword" required>
+                    <input type="password" name="password" class="form-control" id="yourPassword" required>
                    <div class="invalid-feedback">Please enter your password!</div>
                  </div>
--- a/ereuse_devicehub/utils.py
+++ b/ereuse_devicehub/utils.py
@ -0,0 +1,8 @@
 from urllib.parse import urljoin, urlparse
 def is_safe_url(request, target):
    ref_url = urlparse(request.host_url)
    test_url = urlparse(urljoin(request.host_url, target))
    return test_url.scheme in ('http', 'https') and \
        ref_url.netloc == test_url.netloc
--- a/ereuse_devicehub/views.py
+++ b/ereuse_devicehub/views.py
@ -1,22 +1,43 @@
-from flask import Blueprint, render_template
+import flask
 from flask import Blueprint
 from flask.views import View
 from flask_login import login_user
 from ereuse_devicehub.forms import LoginForm
 from ereuse_devicehub.resources.user.models import User
 from ereuse_devicehub.utils import is_safe_url
 core = Blueprint('core', __name__)
 class LoginView(View):
    methods = ['GET', 'POST']
    template_name = 'ereuse_devicehub/user_login.html'
    def dispatch_request(self):
-        return render_template(self.template_name)
+        form = LoginForm()
        if form.validate_on_submit():
            # Login and validate the user.
            # user should be an instance of your `User` class
            user = User.query.filter_by(email=form.email.data).first()
            login_user(user)
            next_url = flask.request.args.get('next')
            # is_safe_url should check if the url is safe for redirects.
            # See http://flask.pocoo.org/snippets/62/ for an example.
            if not is_safe_url(flask.request, next_url):
                return flask.abort(400)
            return flask.redirect(next_url or flask.url_for('core.user-profile'))
        return flask.render_template('ereuse_devicehub/user_login.html', form=form)
 class UserProfileView(View):
    template_name = 'ereuse_devicehub/user_profile.html'
    def dispatch_request(self):
-        return render_template(self.template_name)
+        context = {}
        return flask.render_template(self.template_name, **context)
 core.add_url_rule('/login/', view_func=LoginView.as_view('login'))
--- a/requirements.txt
+++ b/requirements.txt
@ -9,7 +9,9 @@ colour==0.1.5
 ereuse-utils[naming,test,session,cli]==0.4.0b49
 Flask==1.0.2
 Flask-Cors==3.0.6
 Flask-Login==0.5.0
 Flask-SQLAlchemy==2.3.2
 Flask-WTF==1.0.0
 hashids==1.2.0
 inflection==0.3.1
 marshmallow==3.0.0b11