Building Data-Driven Web Apps with Pyramid and SQLAlchemy Transcripts
Chapter: User input and HTML forms
Lecture: Creating a user session (cookies)

Login or purchase this course to watch this video and the rest of the course contents.
0:00 So we've been able to login our user and register users, and we're doing this just in the context more of demonstrating how to interact with forms
0:09 more than how to do proper user management. There's a lot of stuff that we're skippping over password resets, welcome emails, all kinds of things
0:17 that you're really going to have to do, we're not doing. But I do want to have the ability to have users
0:23 in this web app, and one of the important parts is actually, once somebody has logged in or registered knowing okay well, on the next request
0:31 who is that, are they logged in again? Because HTTP in the web it's stateless, right? We have to basically carry a cookie back and forth
0:39 to say here's the logged-in user. A new Python file called cookie_auth. Now, there's a lot of details here that don't matter too much
0:50 so I'm just going to drop them in here and talk you through them and you can take them or create your own mechanism.
0:56 Idea is, we want to create a tamper-proof cookie that can live in the user's browser potentially across sessions you can set it to time out
1:05 after they close the browser if you wanted. This one will live longer and we're going to set this when they log in
1:10 and then on every request, if we need to know if they're logged in and who they are we're going to check it.
1:14 I realized I've put this in the wrong place. I want to make a folder, a new category here, called I may make it a new subpackage.
1:25 And our cookie_auth is going to go there. And I also want to have one other function called try_int 'cause periodically we have to parse ints
1:39 and it can be really annoying to have to do a try except. So we'll have text to the str it's going to return an optional int.
1:51 So here we'll just bundle this try except up and do it all here, so we'll return int with text and that didn't work, we're going to return None.
2:01 There's your optional, great so we're going to use this in our little cookie_auth thing. Alright, now it looks like we have everything in place.
2:11 We're just going to have two functions, set_auth give it a request and a user ID and it's going to do some hashing and then create this, store the ID
2:20 as well as somewhat tamper proof sort of check that this ID can't be just changed or played with
2:27 then we're going to say before you send the response back call this function add_cookie, okay?
2:33 The hashtext is just going to do a little salty hashy stuff again with sha512 and then we're going to be able to ask give me the user from the cookie
2:41 and then it'll just look in the request cookie pull it apart, make sure some stuff is okay and then get the user ID back
2:50 assuming that it hasn't been tampered with. Great, so that's all there is to this and let's go and use it here.
2:56 So down here we say login user, let's do it. We'll say cookie_auth, import that. We'll say set_auth, and what does it expect
3:05 it expects the request, and that seems easy. Same thing for when we log in down here. Good, now how do we know it's working?
3:16 Well, there's a couple things we can do but let's go up here to this index one and we're going to say user ID.
3:24 Instead of setting auth, we're going to say get got to pass in our request here like so but we got to name it.
3:31 Remember, we unnamed it, so it didn't complain? Now we name it again apparently so we'll say if not user ID, let's just do this.
3:38 Let's say user equals user service and how about find_user_by_id? Again, this should be super easy to write. That's an int
3:55 an optional user, and it looks really a lot like that. So let's go down here and just borrow that. Done, isn't SQLAlchemy a thing of beauty?
4:10 Alright, so we come out here and get our user and we'll say if not user, we're going to do a redirect. Over to account login, otherwise
4:25 we're just going to say maybe we'll set the user and pass it over so we can set the name. If we need to do something interesting
4:32 let's go to our index and just say welcome to your account, Let's see if that all holds together. Right now, we're not sending the cookie.
4:47 We could try to go and do a count. And it says no result was found. Ah, you know what I want? I don't want one for that one, I want first.
4:56 One is, it's going to be an error if it's not there. I think I used it before, maybe it was in a place. First, I also want that to not crash.
5:06 Sometimes you do want it to crash. You're certain you're asking for something and it's not there, but this time I don't.
5:12 So notice I try to go to account. No, no, you're not logged in. Let's try logging you in. Okay, let's log me in. Oh, how about that?
5:23 We'll click around, click over and register and then if we go back, account, Tada! Very last thing up here, we have these showing
5:34 it should say maybe go to your account and log out instead of register and log in. We'll fix that next.

Talk Python's Mastodon Michael Kennedy's Mastodon