Building data-driven web apps with Flask and SQLAlchemy Transcripts
Chapter: User input and HTML forms
Lecture: Creating a user session (cookies)
0:00 Super close to having both login
0:01 and register complete.
0:03 In fact, they're doing everything except for
0:05 remembering the user, logging us into a session.
0:08 So, the way we're going to do that is we're going to set a cookie.
0:10 Now, setting cookies in Flask is quite easy, actually.
0:15 But combining that with a redirect
0:17 and combining that with our little response helper
0:19 makes it a tiny bit trickier.
0:21 So, we're going to see it takes a couple of steps
0:23 to actually set the cookie in the response
0:25 but no big deal.
0:26 However, the other thing we want to do
0:28 is make sure that we can create a cookie
0:30 that cannot be tampered with.
0:32 Like, let's say they login and we say
0:33 well in the cookie, we're setting the user_id to 7.
0:38 What is going to stop them from going and editing that
0:40 and going, well actually the user_id is 92
0:43 or whatever, right?
0:44 We don't want to change that and let them hack it
0:46 so we're going to make these tamper-proof cookies
0:49 which is pretty easy.
0:50 We can just use some hashing and validation
0:52 but it's a little more involved
0:54 than worth actually creating from scratch.
0:56 So I'm just going to create a new file over here.
1:00 cookie_auth.py, like that.
1:02 I'm going to drop some code in here
1:04 so let's go over here and just see what we've got.
1:05 So we've got a function called set_auth
1:07 which takes a Flask response
1:09 and what it's going to do is take a user_id
1:12 and actually hash it up into a bunch of scrambled stuff.
1:16 And then, it's going to actually go over here
1:18 and set the value like 7 or 85
1:21 I guess is my user_id now and I registered.
1:23 But then also, this other scrambled thing
1:26 very much like our password thing we just did
1:29 to say, This is the validation of that.
1:31 So you could theoretically change that
1:33 but you won't know what to change this to
1:36 so the system will still think the integrity is there.
1:40 All right, so we're adding this like super something
1:42 super simple in terms of this hash.
1:43 Change it a little bit, do a quick hash on it
1:46 and throw that back.
1:48 Then what we're going to do is
1:49 we're just going to go and either set the cookie by name, age
1:52 and then we're going to say it's going to time out
1:54 after 30 days. You could make this whatever you want.
1:57 And then what we're going to do is like when they come back
2:00 we'll ask what the user_id is based on inbound cookies
2:03 'cause the browser will roundtrip them.
2:05 So we split that apart.
2:06 We get the user_id and the validation
2:08 and then we just verify that it was not tampered with
2:11 and we do this little convert to integer
2:14 and either we get nothing or we get a nice user_id back.
2:17 So optional event.
2:18 Whoo! All that makes this sound like a lot.
2:22 Using it turns out to be super simple.
2:26 Here we go
2:27 We're going to go down here and use our cookie off. So where it says you need to set a login here
2:30 we're going to say cookie off, set off.
2:34 Now, here's where it gets a little tricker
2:35 because we're doing a redirect and whatnot.
2:39 So, sure we can set it, but we have to provide a response.
2:44 Well, the user_id is just user_id.
2:46 That's simple, but how do we get the response?
2:49 Well, what we want to do is create a response
2:52 that will redirect us over this place, like here.
2:57 Actually, possibly
3:00 we could do it like this.
3:02 Let's see if this is going to work for us.
3:04 Try to put this as much together as possible
3:07 and then down here, also in this one
3:10 I'll do the same thing.
3:13 All right, let's give this a shot and see if it work.
3:16 So, we're going to come over here
3:18 and notice we're not logged in right now.
3:21 I'm going to come in and we're going to try to log in.
3:25 Kind of do a quick test.
3:26 The account doesn't exist.
3:27 Use the right password.
3:29 All right, here we go. Awesome!
3:32 Off it goes. Well, it looked like it logged in
3:34 but did not actually get us the right thing
3:36 did not get us our cookies and so on.
3:39 So we go over here and do a request
3:42 and come back and look at just the HTML
3:48 Look at the cookies, Whoohoo! Look at that!
3:50 There it is.
3:51 85 and then all that scrambled mess on the other side
3:55 that's actually good. That's the validation, right?
3:57 Like, you couldn't figure out what it's supposed to be
3:59 without seeing the code. Okay, super.
4:01 So it looks that's actually working.
4:03 Now, what we need to do is just have our account
4:05 understand that.
4:07 This also makes it super easy to logout.
4:10 So I can come over here and say
4:12 something to this effect here.
4:15 When we log out, what we're going to do is
4:16 we're going to redirect to maybe just home
4:19 and here, we're just going to go to log out.
4:22 And log out simply deletes that cookie from the response.
4:26 So, it sends the message back to the browser like
4:28 Hey, your job is to delete this
4:29 so we'll able to go and log out
4:32 and I think that pretty much does it
4:34 but let's go over here and do a quick test.
4:37 I have user_id, cookie_auth.get_user_id_via_auth_cookiee.
4:48 So it's going to come in and then we can say
4:51 we can check for it
4:52 we can say user equals user service.
4:56 We have find user by email
4:57 but we don't have one for by id, yet.
5:00 Super easy to write, as you will see.
5:03 I'll say, "If user, if not user
5:07 we need to return a flask.abort
5:11 forward to /account/login, right.
5:14 So if you come in and you're not logged in
5:17 for our cookie, then you have to go login.
5:19 Otherwise, we're going to return.
5:21 User is just going to be that user.
5:23 So we can say something like, Hey, welcome so-and-so
5:27 but first this must be written.
5:28 And its super easy.
5:30 Sticks an int and it returns
5:34 and optional of user, as many of these do.
5:38 You know what, it looks a whole lot like that.
5:41 So were going to go and write this bit.
5:44 So instead of email, I need ID, his double equals, user_id.
5:49 That's it. Now we just need to return user
5:52 and we're all good. So right now, one more thing
5:56 let's go ahead and just round this out.
5:57 By having our home page, no do this.
6:00 Just say, Welcome your account.
6:08 Something like that.
6:09 So come over here, refresh it
6:11 look at that, Welcome to your account Micheal.
6:14 If we go and we try to logout
6:15 we don't have that written in terms of the navigation yet
6:18 we'll do that in a moment.
6:20 Now we're logged out, we went home
6:21 now if we try to go back to account
6:23 work before and it says ohh strings not callable
6:25 oh whoops, I didn't mean abort I meant redirect
6:30 to there.
6:34 Here we go, and I didn't mess up the bottom did I?
6:36 Redirect, redirect. No we're good, okay.
6:38 Sorry about that.
6:40 So we come over here and we try to go to our account
6:43 cause we've logged out, were does it take us?
6:45 Straight over to login cause we no longer
6:47 have that cookie once we login again
6:52 takes us over here, we now have the cookie
6:54 Welcome to your account.
6:55 Do a quick logout and we'll be gone again
6:57 and that's the flow. Super Easy.
7:00 Final test, go back to account.
7:03 Nope, there's no account, not yet.
7:05 Got to login. How cool is that.
7:07 So we can create these tapper proof cookies
7:09 and save them to the session
7:11 use them to drive or manage the session, within the browser.