How to Use flask-login for User Authentication in Flask
Use
flask-login by initializing a LoginManager in your Flask app, defining a user loader function, and protecting routes with @login_required. It manages user sessions and makes authentication easy with simple setup and user class integration.Syntax
flask-login requires these main parts:
LoginManager(): Initializes login management for your app.user_loaderdecorator: Loads a user by ID from your user storage.login_user(user): Logs in a user after verifying credentials.@login_required: Protects routes so only logged-in users can access.logout_user(): Logs out the current user.
python
from flask_login import LoginManager, login_user, logout_user, login_required, UserMixin login_manager = LoginManager() @login_manager.user_loader def load_user(user_id): # Return user object by ID return User.get(user_id) # Example protected route @login_required def protected_route(): return "Protected content" # To log in a user: # login_user(user) # To log out: # logout_user()
Example
This example shows a minimal Flask app using flask-login to log in a user and protect a route.
python
from flask import Flask, request, redirect, url_for from flask_login import LoginManager, UserMixin, login_user, login_required, logout_user, current_user app = Flask(__name__) app.secret_key = 'secret-key' login_manager = LoginManager() login_manager.init_app(app) # Simple user class class User(UserMixin): def __init__(self, id): self.id = id # Fake user database users = {'user1': User('user1')} @login_manager.user_loader def load_user(user_id): return users.get(user_id) @app.route('/login', methods=['GET', 'POST']) def login(): if request.method == 'POST': username = request.form.get('username') if username in users: login_user(users[username]) return redirect(url_for('protected')) return 'Invalid username', 401 return '''<form method="post"> <input name="username" placeholder="Username"> <input type="submit" value="Login"> </form>''' @app.route('/protected') @login_required def protected(): return f'Hello, {current_user.id}! You are logged in.' @app.route('/logout') @login_required def logout(): logout_user() return 'Logged out' if __name__ == '__main__': app.run(debug=True)
Output
Running the app and visiting /login allows entering username 'user1'. After login, accessing /protected shows 'Hello, user1! You are logged in.'. Visiting /logout logs out the user.
Common Pitfalls
- Forgetting to set
app.secret_keycauses session errors. - Not initializing
LoginManagerwith the app (login_manager.init_app(app)). - Missing the
@login_manager.user_loaderfunction to load users by ID. - Not protecting routes with
@login_requiredwhen needed. - Using a user class without inheriting
UserMixincauses missing required properties.
python
from flask_login import UserMixin # Wrong: User class missing UserMixin class User: def __init__(self, id): self.id = id # Right: User class inherits UserMixin class User(UserMixin): def __init__(self, id): self.id = id
Quick Reference
| Function/Decorator | Purpose |
|---|---|
| LoginManager() | Create login manager instance |
| login_manager.init_app(app) | Connect login manager to Flask app |
| @login_manager.user_loader | Load user by ID for session |
| login_user(user) | Log in a user |
| logout_user() | Log out current user |
| @login_required | Protect routes for logged-in users only |
Key Takeaways
Initialize LoginManager and connect it to your Flask app with init_app.
Define a user_loader function to load users by their ID for session management.
Use UserMixin in your user class to provide necessary authentication properties.
Protect routes with @login_required to restrict access to logged-in users.
Always set app.secret_key to enable secure sessions.