0
0
Flaskframework~20 mins

Testing authentication flows in Flask - Practice Problems & Coding Challenges

Choose your learning style9 modes available
LearnWhyDeepVisualTryChallengeProjectRecallPerf
Challenge - 5 Problems
🎖️
Authentication Flow Master
Get all challenges correct to earn this badge!
Test your skills under time pressure!
component_behavior
intermediate
2:00remaining
What is the output when a logged-out user accesses a protected route?
Consider a Flask app with a login_required decorator protecting the /dashboard route. What happens when a user who is not logged in tries to access /dashboard?
Flask
from flask import Flask, redirect, url_for
from flask_login import LoginManager, login_required

app = Flask(__name__)
login_manager = LoginManager(app)

@login_manager.unauthorized_handler
def unauthorized():
    return redirect(url_for('login'))

@app.route('/dashboard')
@login_required
def dashboard():
    return 'Welcome to your dashboard!'

@app.route('/login')
def login():
    return 'Please log in.'
AThe user is redirected to the /login page and sees 'Please log in.'
BThe user sees 'Welcome to your dashboard!'
CThe user gets a 404 Not Found error
DThe user sees a blank page with status 200
Attempts:
2 left
💡 Hint
Think about what the login_required decorator does when the user is not authenticated.
state_output
intermediate
2:00remaining
What is the session state after a successful login?
In a Flask app using flask_login, after calling login_user(user), what key is added to the session to track the logged-in user?
Flask
from flask import Flask, session
from flask_login import LoginManager, login_user, UserMixin

app = Flask(__name__)
app.secret_key = 'secret'
login_manager = LoginManager(app)

class User(UserMixin):
    def __init__(self, id):
        self.id = id

user = User('123')

with app.test_request_context():
    login_user(user)
    user_id_in_session = session.get('_user_id')
A'current_user'
B'user_id'
C'_user_id'
D'logged_in_user'
Attempts:
2 left
💡 Hint
Check flask_login's source or documentation for the session key it uses.
📝 Syntax
advanced
2:00remaining
Which code snippet correctly tests login with Flask's test client?
You want to test logging in a user by posting credentials to /login using Flask's test client. Which snippet correctly performs the login and checks the response?
Flask
from flask import Flask, request
from flask_login import LoginManager, login_user, UserMixin

app = Flask(__name__)
app.secret_key = 'secret'
login_manager = LoginManager(app)

class User(UserMixin):
    def __init__(self, id):
        self.id = id

@app.route('/login', methods=['POST'])
def login():
    username = request.form['username']
    if username == 'testuser':
        user = User('1')
        login_user(user)
        return 'Logged in'
    return 'Failed', 401

client = app.test_client()
A
response = client.post('/login', json={'username': 'testuser'})
assert response.data == b'Logged in'
B
response = client.post('/login', data='username=testuser')
assert response.data == b'Logged in'
C
response = client.get('/login', data={'username': 'testuser'})
assert response.status_code == 200
D
response = client.post('/login', data={'username': 'testuser'})
assert response.data == b'Logged in'
Attempts:
2 left
💡 Hint
Remember how form data is sent in POST requests with Flask test client.
🔧 Debug
advanced
2:00remaining
Why does this test fail to detect a logged-in user?
A test posts login data and then requests a protected page but gets redirected to login again. Why?
Flask
response = client.post('/login', data={'username': 'testuser'})
response = client.get('/dashboard')
assert b'Welcome' in response.data
AThe test client does not preserve cookies between requests by default
BThe test client needs to use follow_redirects=True on the get request
CThe /dashboard route is not decorated with login_required
DThe login route does not set the session cookie properly
Attempts:
2 left
💡 Hint
Think about what happens when a protected route redirects to login.
🧠 Conceptual
expert
3:00remaining
What is the best way to test logout behavior in Flask-Login?
You want to test that after logging out, the user cannot access protected routes. Which approach correctly verifies this?
ACall client.get('/logout') then client.get('/dashboard', follow_redirects=True) and check the response contains the login page content
BCall client.get('/logout') then client.get('/dashboard') and check the status code is 200
CCall client.post('/logout') then client.get('/dashboard') and check the response data is empty
DCall client.get('/logout') then client.get('/dashboard') and check the response status code is 404
Attempts:
2 left
💡 Hint
Think about what happens after logout and how protected routes behave.