Python for Entrepreneurs Transcripts
Chapter: User accounts and identity
Lecture: Demo: Account class
0:03 It's time to have users in our application.
0:05 So let's start by creating a class over here in data, we have our albums,
0:10 we have our tracks, let's have an account.
0:16 And it's going to be very similar over here, we're going to use these things,
0:20 actually a bunch of this, let me just copy that, don't need the ordering list,
0:25 may not need the ORM, we'll find out in a moment.
0:29 So we're going to create a class, called Account.
0:31 And it's going to derive from SqlAlchemyBase like all the things
0:34 we map to SQLAlchemy and let's go and give it a __tablename__,
0:38 now we need to give it things like an id.
0:48 So here is a very rudimentary user for our database.
0:51 There is a couple of things I want to talk about here as we are going through this.
0:55 First of all, it's really important to have an email for your users,
0:58 you will be super surprised how quickly people forget their logins,
1:03 one of the very first things people do when they go create an account is
1:07 they will create an account, maybe they will mistype the password,
1:10 they will have to come in and reset their password, so email is important.
1:13 Also, you want to be able to put them on your mailing list and so on.
1:17 So email, however, because email is often used as a unique identifier for your account,
1:21 it's important that this is unique and you want to do queries
1:25 by it, like "find me the user with this email when they log in and stuff",
1:28 so you will have an index, so let's add all of those.
1:33 OK so now we have a nice strong email, we will have a create a date here,
1:40 let's just make it really easy for the create a date to get set,
1:43 so this doesn't get forgotten or incorrectly done,
1:46 so what we're going to do is: As soon as you create one of these accounts
1:50 and insert into the database, we are just going to set the create a date to right now.
1:54 So we want to import datetime.datetime, and now, and if you want to just do the days
2:01 you can do today but we're doing now because we might want to know
2:05 like to the second when accounts were created.
2:07 Oh, I almost made a mistake here, be very careful, do not put the parenthesis here,
2:12 you want the function, not the value.
2:15 Now, are you going to do queries and reports based on this created date?
2:19 Like "show me all the users created today", then you want an index,
2:22 I am not planning on that, so that is fine.
2:25 Here we have the emails confirmed, we don't want this to be nullable,
2:29 but we do want to have a default value
2:31 and by default, let's say the email is not confirmed.
2:37 Same thing down here, some users when they log in
2:40 you will want to be able to give them access, namely you,
2:44 and people that work with you, give them access to backend tooling
2:48 and other higher order features, maybe higher permissions,
2:51 so this is an easy way to create a set of super users that can really manage the site
2:57 in a real rich application with many people involved, you probably want group policy
3:01 but we're starting simple, we are going to start here.
3:04 OK, so the last thing to talk about is the id, now it's totally reasonable
3:10 if we put the id as an auto incrementing number,
3:13 but there are few drawbacks we need to consider in that case.
3:17 So if we go over here, imagine that there is an account page,
3:20 I think there actually is, yeey, your account,
3:22 we could view the account of some user
3:25 and it was like this, account/7, yeah, it's not found but imagine it was found;
3:30 if you had that URL, you might wonder what is at account 8
3:35 or account 6, or account 1,
3:37 and you might start poking around the site
3:40 and so one o f the things you might consider,
3:43 you don't have to do this, but I do on my sites is make things like this,
3:47 where it would be really easy to guess or enumerate or loop over all of the elements
3:52 in your site if for some reason a bit of security got to lags
3:55 and you didn't verify that that was the same user
3:58 or they were super user or something like this,
4:00 what we can do is we can make this look more like that, and randomly generate it,
4:04 maybe a little more interesting than that but we'll make it a big alpha numeric thing
4:08 that is extremely hard to guess, and is not numerable, in which case
4:12 one, you don't reveal how many users you have like if you are super excited
4:17 about a new service and you are thinking about buying it for your business
4:20 and you come along and you see oh, I am user 52, maybe this is not a real business,
4:25 I thought this was really popular, right, that should send a wrong message as well,
4:28 so for a couple of reasons like that you might want to make the actual account id
4:31 not just the basic number.
4:34 So, let's do that here.
4:36 So I am going to import uuid, and we're going to let me just show you here,
4:45 so we're going to use uuid4, which comes out like this
4:50 and we would like just basically this text in here to be our user id,
4:55 we could keep the dashes or we could replace them, with that,
5:04 so we can use something like this, here, as the generation of our key,
5:09 so this is not going to be an integer, this is going to be a string and this is of course
5:14 going to be the primary key is True and we want to set the default
5:18 to be basically that generation sequences that I just wrote,
5:23 so we are going to give it a lambda that takes no parameters
5:26 and it's going to return that code right there.
5:28 And of course, we've got to do it like so.
5:32 Alright, so now this should give us a non-discoverable, non-leaking
5:37 how many users you have sort of id for account base here, so that's great.
5:41 Primary key should make it unique and indexed,
5:43 we'll have our email, created account, confirm, super easy.
5:47 I think we're good, we also don't need that.
5:50 For a simple beginner account I am going to declare this thing is ready to go.
5:54 Wait, it's not ready yet, I've realized there is one super important thing, that we need to store,
5:59 so we have our user id, you notice there is not a user name,
6:02 I am just going to use email as the user name,
6:05 but when they log in, having the email is not enough,
6:07 you would probably want to have a password, right, so we could write this,
6:13 do not write that, do not put the password in your database,
6:19 do not put the plain text password in your database,
6:22 we are going to talk about how to deal with this
6:24 but we're going to put a one-way hash
6:27 of the password. Very strong, hard to reverse, in the database.
6:32 OK, now this account class is ready to roll.