How to Implement Authentication in Flask: Simple Guide
To implement authentication in Flask, use the
Flask-Login extension which manages user sessions and login states. Define a user model with required methods, set up login views, and protect routes with @login_required decorator.Syntax
The basic syntax for Flask authentication involves importing Flask-Login, initializing the LoginManager, defining a user class with required methods, and using decorators to protect routes.
LoginManager.init_app(app): Connects Flask-Login to your Flask app.user_loadercallback: Loads user from user ID stored in session.@login_required: Protects routes so only logged-in users can access.login_user(user): Logs in a user after verifying credentials.logout_user(): Logs out the current user.
python
from flask_login import LoginManager, UserMixin, login_user, logout_user, login_required, current_user login_manager = LoginManager() login_manager.init_app(app) class User(UserMixin): def __init__(self, id): self.id = id @login_manager.user_loader def load_user(user_id): return User(user_id) @app.route('/login', methods=['POST']) def login(): # Verify user credentials user = User(id='123') login_user(user) return 'Logged in' @app.route('/protected') @login_required def protected(): return f'Hello {current_user.id}' @app.route('/logout') def logout(): logout_user() return 'Logged out'
Example
This example shows a minimal Flask app implementing authentication with Flask-Login. It includes user login, logout, and a protected page accessible only to logged-in users.
python
from flask import Flask, request, redirect, url_for from flask_login import LoginManager, UserMixin, login_user, logout_user, login_required, current_user app = Flask(__name__) app.secret_key = 'secret-key' login_manager = LoginManager() login_manager.init_app(app) login_manager.login_view = 'login' # Simple user store users = {'user1': {'password': 'pass123'}} class User(UserMixin): def __init__(self, username): self.id = username @login_manager.user_loader def load_user(user_id): if user_id in users: return User(user_id) return None @app.route('/login', methods=['GET', 'POST']) def login(): if request.method == 'POST': username = request.form.get('username') password = request.form.get('password') if username in users and users[username]['password'] == password: user = User(username) login_user(user) return redirect(url_for('protected')) return 'Invalid credentials', 401 return ''' <form method="post"> Username: <input type="text" name="username"><br> Password: <input type="password" name="password"><br> <input type="submit" value="Login"> </form> ''' @app.route('/protected') @login_required def protected(): return f'Hello, {current_user.id}! You are logged in.' @app.route('/logout') def logout(): logout_user() return 'You have been logged out.' if __name__ == '__main__': app.run(debug=True)
Output
* Running on http://127.0.0.1:5000/ (Press CTRL+C to quit)
# When visiting /protected without login, redirects to /login
# After login with correct credentials, /protected shows: Hello, user1! You are logged in.
# Visiting /logout logs out the user and shows confirmation message.
Common Pitfalls
- Not setting
app.secret_keycauses session errors. - Forgetting to implement
user_loaderresults in login failures. - Not protecting routes with
@login_requiredallows unauthorized access. - Storing passwords in plain text is insecure; always hash passwords in real apps.
- Not redirecting unauthorized users to login page can confuse users.
python
from flask_login import login_required # Wrong: No login_required decorator @app.route('/secret') def secret(): return 'Secret data visible to all!' # Right: Protect route @app.route('/secret') @login_required def secret(): return 'Secret data visible only to logged-in users.'
Quick Reference
| Function/Decorator | Purpose |
|---|---|
| LoginManager.init_app(app) | Initialize Flask-Login with your Flask app |
| @login_manager.user_loader | Load user object from user ID stored in session |
| login_user(user) | Log in a user after verifying credentials |
| logout_user() | Log out the current user |
| @login_required | Protect routes so only logged-in users can access |
| current_user | Access the currently logged-in user object |
Key Takeaways
Use Flask-Login to manage user sessions and authentication easily.
Always protect sensitive routes with @login_required decorator.
Implement user_loader callback to load users from session data.
Set a secret key in your Flask app to enable secure sessions.
Never store passwords in plain text; use hashing in real applications.