Can someone clarify what's going on between these three extensions?
As I understand it, Flask-Security builds upon Flask-Login by integrating other extensions like passlib, itdangerous, flask-wtf, flask-principal, etc. So Flask-Security trumps Flask-Login in this instance.
Then we have Flask-User, looking at it's github, it also has Flask-Login as a dependency. So this also builds upon Flask-Login.
However, Flask-User had it's last commit 20 days ago, and Flask-Security had it's last commit in October of 2018 and the build is failing. No data for Flask-User status.
The consensus seems to veer towards flask-security. But I'm veering towards Flask-User with the little understanding of the real world differences. I'll be creating all my database records with uuid's as the ID's. What would you guys choose and what are the pros and cons of them? Are there any real alternatives?
I think Flask-Security is deprecated right now. I never used Flask-User on a project. Flask-Login was always my choice for handling sessions/users. You can make your own session handler. I recommend using JWT for authentication & authorization.
I'd roll with Flask-Login (I've used it on many projects with great success and I would use it today on a new project).
It's pretty low level and really only controls the gory bits of ensuring a session is created and potentially persisted with cookies. Then on top of that it gives you access to the idea of having a current_user which is the logged in user and some decorators to ensure a user is logged in.
With Flask-Login you have free reign on how to design the flow and UI of your user registration / authentication system because all it does is handle authentication. Flask-Login also makes it really easy to pick a way that users would get authentication too (such as looking up a user in your database).
If you're worried about commit dates and projects dying, Flask-Login is your best because it's so focused on 1 thing. If you ever wanted to replace that, you could step in and drop in a replacement without having to change much of your code at all.
python - Flask user-roles, authorization, login and security, or principal? - Stack Overflow
python - Flask-Login vs Flask-Security for Production Environment - Stack Overflow
python - Flask user authentication - Stack Overflow
python - flask-login: can't understand how it works - Stack Overflow
Videos
Flask-Security is now deprecated, so I wouldn't recommend using it in production. There is a fork of it called Flask Security Too but it doesn't seem very widely followed.
To be honest even when it was maintained it wasn't my favourite as I think it tried to do too much.
Flask-Login on the other hand is a solid library. It is very "flasky" in the sense that it is low level and deals with the really annoying stuff (creating a session, persisting it with cookies, delivering a current_user, putting certain routes behind a login_required decorator) and then letting you design your own flow and pull in the libraries you want.
For instance if you want social login or OAuth token storage then Flask-Dance, which integrates nicely with Flask-Login and is actively maintained, smashes Flask-Social which integrates with Flask-Security.
There is also Flask-User, which gets good reviews but last commit was in 2019, which is a little scary.
Flask-Security-Too, while it can be complex if you try to use all of its features, proves to actually be pretty easy to set up production-ready applications. It is actively maintained. I have a few working projects in production using this library (v4.x.x). Not too long ago, there has been a v5.x.x release as well.
You should definitely check that out.
- Flask-Security-Too: https://flask-security-too.readthedocs.io/
- My Example Application: https://github.com/hrishikeshrt/flask-bootstrap-anywhere
I would suggest using the flask-login extension, it makes session management really easy to add to your flask application, and provides a nice documentation which covers in details every aspect of the extension.
I don't think that flask has any authentication built-in, only support for tracking sessions.
Here are some snippets for basic HTTP authentication and authentication with some third-party providers. Otherwise you will need to roll your own or use a framework that has this baked in (like Django)
Here is a discussion thread on this topic with a useful link
Flask-login doesn't actually have a user backend, it just handles the session machinery to help you login and logout users. You have to tell it (by decorating methods), what represents a user and it is also up to you to figure out how to know if a user is "active" or not (since being "active" can mean different things in different applications).
You should read the documentation and be sure what it does and does not do. Here I am only going to concentrate on wiring it up with the db backend.
To start off with, define a user object; which represents properties for your users. This object can then query databases, or LDAP, or whatever and it is the hook that connects the login mechanism with your database backend.
I will be using the login example script for this purpose.
class User(UserMixin):
def __init__(self, name, id, active=True):
self.name = name
self.id = id
self.active = active
def is_active(self):
# Here you should write whatever the code is
# that checks the database if your user is active
return self.active
def is_anonymous(self):
return False
def is_authenticated(self):
return True
Once you have the user object created, you need to write a method that loads the user (basically, creates an instance of the User class from above). This method is called with the user id.
@login_manager.user_loader
def load_user(id):
# 1. Fetch against the database a user by `id`
# 2. Create a new object of `User` class and return it.
u = DBUsers.query.get(id)
return User(u.name,u.id,u.active)
Once you have these steps, your login method does this:
Checks to see if the username and password match (against your database) - you need to write this code yourself.
If authentication was successful you should pass an instance of the user to
login_user()
Flask-login will try and load a user BEFORE every request. So yes, your example code below will be called before every request. It is used to check what userid is in the current session and will load the user object for that id.
@login_manager.user_loader
def load_user(userid):
#print 'this is executed',userid
return user(userid, 'asdf')
If you look at the Flask-login source code on github, there is a line under function init_app which goes:
app.before_request(self._load_user)
So before every request, the _load_user function is called. The _load_user functions actually calls another function "reload_user()" based on conditions. And finally, reload_user() function calls your callback function that you wrote (load_user() in your example).
Also, flask-login only provides the mechanism to login/logout a user. It does not care if you are using mysql database.
Does Flask-Login and Flask-User work hand-in-hand? Or is one an alternative to the other?
From reading the docs, it looks like Flask Login handles authentication while Flask user handles a list of other things: registration, email confirmation, changing usernames and passwords, and forgotten passwords.
is there any overlap in their responsibilities? Or do they work together to create 'the complete authentication and user' system?