librelist archives

Flask-Principal

Flask-Principal by Raphael Slinckx
- Flask-Principal by Anton Khodakivskiy
  - Re: [flask] Flask-Principal by Aaron Kavlie
  - Re: [flask] Flask-Principal by Scott Scites

Flask-Principal

From:: Raphael Slinckx
Date:: 2010-10-14 @ 21:12

Hi !

I'm working on several projects at work using Flask, and have started
building some internal extensions that i plan to release to a wider
audience.

The first one is a modification of the flask-principal extension which
i posted on github: http://gist.github.com/627023

I extended the Principal object with the following ideas:
* Added a proper init_app(app) method (I don't know why it's
_init_app(app) at the moment?)

* Added basic-auth identity loader
  Each request is inspected for http basic-auth headers and if a user
is found, logs in

* Added form-based identity loader
  You just provide a list of paths to monitor in your config.
  If something gets posted with login/password POST values to that
path, it will try to log you in

* Slightly changed the session-based loader and saver to use an ID
rather than a username
  I think it's better if the session cookie contains a immutable
identifier rather than a possibly changing login/username/email which
invalidates the session if the user changes login/username/email. The
id should stay the same.

* When saving the identity, save the ID for the logged in user in the
session, if no user is logged in, delete the session key

* Always ensure there is a g.user variable defined during the request
(if no user -> g.user is None)

* Added 2 public methods on the principal object:
  - principal.login(user), immediately logs in the user, g.user is
updated to reflect that
  - principal.logout(), immediately logs out the user, g.user is set
to None and the cookie will be cleared in the response

* Extended the Identity object to contain an user object. The identity
will take user.id as 'name' to store in the session cookie
  I also added two decorators:
  - user_by_id(f): Gives principal a way to query for a user object
given a user id
  - user_by_login(f): Gives principal a way to query for an user
object given a login/password pair

The main objective of the last change is to ensure that the identity
retrieved by identity_loaders is actually mapping to a real user and
not just stale.
Currently if i have an otherwise valid session cookie but containing a
stale username, the identity will be set to that name, but it doesn't
correspond to any real user object, and this prevents any other
identity_loaders to be executed.
With this code, the identity loaders extract either an id or a
login/password pair and ask the application to get the user object.
Only if a user is found then will the identity be set.

Some sample pseudo-code:
--------------------------------------------------------------------
AUTHENTIFIER_LOGIN_PATHS = ['/login']

app = Flask(__name__)
principal = Principal()
principal.init_app(app)

@principal.user_by_id
def user_by_id(id):
    return User.query.get(id)
@principal.user_by_login
def user_by_login(login, password):
    user = User.query.filter(User.login == login).first()
    if user and user.validate_password(password):
        return user

@app.route('/logout')
def logout():
    principal.logout()
    flash('Logged out')

@app.route('/login', methods=['GET', 'POST'])
def login():
    if request.method == 'POST':
        if g.user:
            redirect('/loggedin')
        else:
            flash('Error logging in')
            redirect('/login')
    else:
        render_template('login.html')
-----------------------------------------------------------------

I'm not sure what the Flask-Principal maintainer thinks of these
suggestions, it's of course open to any criticism :)
If it's deemed useful enough, we can discuss how to merge this
properly into flask-principal itself.

Raf.

Flask-Principal

From:: Anton Khodakivskiy
Date:: 2011-02-20 @ 14:01

Hi

Are there any examples on how to use Flask-Principal, besides the 
documentation snippets? Some guidelines or best practice patterns will be 
very helpful.  

Thanks
Anton

Re: [flask] Flask-Principal

From:: Aaron Kavlie
Date:: 2011-02-20 @ 19:41

FYI, work on Flask-Principal is planned for the PyCon sprints. So look out
for a new version (likely with better docs) in about a month.

On Sun, Feb 20, 2011 at 7:01 AM, Anton Khodakivskiy <akhodakivskiy@gmail.com
> wrote:

> Hi
>
> Are there any examples on how to use Flask-Principal, besides the
> documentation snippets? Some guidelines or best practice patterns will be
> very helpful.
>
> Thanks
> Anton
>

Re: [flask] Flask-Principal

From:: Scott Scites
Date:: 2011-02-20 @ 14:40

> Are there any examples on how to use Flask-Principal, besides the
> documentation snippets? Some guidelines or best practice patterns will be
> very helpful.
>
> Dan Jacob's newsmeme (https://bitbucket.org/danjac/newsmeme/src)
application has been a great help to me for using Flask-Principal as well as
for other lessons.  Thanks Dan!