Python for Entrepreneurs Transcripts
Chapter: User accounts and identity
Lecture: Demo: Account class
0:03 It's time to have users in our application. So let's start by creating a class over here in data, we have our albums,
0:11 we have our tracks, let's have an account. And it's going to be very similar over here, we're going to use these things,
0:21 actually a bunch of this, let me just copy that, don't need the ordering list, may not need the ORM, we'll find out in a moment.
0:30 So we're going to create a class, called Account. And it's going to derive from SqlAlchemyBase like all the things
0:35 we map to SQLAlchemy and let's go and give it a __tablename__, now we need to give it things like an id.
0:49 So here is a very rudimentary user for our database. There is a couple of things I want to talk about here as we are going through this.
0:56 First of all, it's really important to have an email for your users, you will be super surprised how quickly people forget their logins,
1:04 one of the very first things people do when they go create an account is they will create an account, maybe they will mistype the password,
1:11 they will have to come in and reset their password, so email is important. Also, you want to be able to put them on your mailing list and so on.
1:18 So email, however, because email is often used as a unique identifier for your account, it's important that this is unique and you want to do queries
1:26 by it, like "find me the user with this email when they log in and stuff", so you will have an index, so let's add all of those.
1:34 OK so now we have a nice strong email, we will have a create a date here, let's just make it really easy for the create a date to get set,
1:44 so this doesn't get forgotten or incorrectly done, so what we're going to do is: As soon as you create one of these accounts
1:51 and insert into the database, we are just going to set the create a date to right now.
1:55 So we want to import datetime.datetime, and now, and if you want to just do the days you can do today but we're doing now because we might want to know
2:06 like to the second when accounts were created. Oh, I almost made a mistake here, be very careful, do not put the parenthesis here,
2:13 you want the function, not the value. Now, are you going to do queries and reports based on this created date?
2:20 Like "show me all the users created today", then you want an index, I am not planning on that, so that is fine.
2:26 Here we have the emails confirmed, we don't want this to be nullable, but we do want to have a default value
2:32 and by default, let's say the email is not confirmed. Same thing down here, some users when they log in
2:41 you will want to be able to give them access, namely you, and people that work with you, give them access to backend tooling
2:49 and other higher order features, maybe higher permissions, so this is an easy way to create a set of super users that can really manage the site
2:58 in a real rich application with many people involved, you probably want group policy but we're starting simple, we are going to start here.
3:05 OK, so the last thing to talk about is the id, now it's totally reasonable if we put the id as an auto incrementing number,
3:14 but there are few drawbacks we need to consider in that case. So if we go over here, imagine that there is an account page,
3:21 I think there actually is, yeey, your account, we could view the account of some user
3:26 and it was like this, account/7, yeah, it's not found but imagine it was found; if you had that URL, you might wonder what is at account 8
3:36 or account 6, or account 1, and you might start poking around the site and so one o f the things you might consider,
3:44 you don't have to do this, but I do on my sites is make things like this,
3:48 where it would be really easy to guess or enumerate or loop over all of the elements in your site if for some reason a bit of security got to lags
3:56 and you didn't verify that that was the same user or they were super user or something like this,
4:01 what we can do is we can make this look more like that, and randomly generate it,
4:05 maybe a little more interesting than that but we'll make it a big alpha numeric thing
4:09 that is extremely hard to guess, and is not numerable, in which case one, you don't reveal how many users you have like if you are super excited
4:18 about a new service and you are thinking about buying it for your business
4:21 and you come along and you see oh, I am user 52, maybe this is not a real business,
4:26 I thought this was really popular, right, that should send a wrong message as well,
4:29 so for a couple of reasons like that you might want to make the actual account id not just the basic number. So, let's do that here.
4:37 So I am going to import uuid, and we're going to let me just show you here, so we're going to use uuid4, which comes out like this
4:51 and we would like just basically this text in here to be our user id, we could keep the dashes or we could replace them, with that,
5:05 so we can use something like this, here, as the generation of our key,
5:10 so this is not going to be an integer, this is going to be a string and this is of course
5:15 going to be the primary key is True and we want to set the default to be basically that generation sequences that I just wrote,
5:24 so we are going to give it a lambda that takes no parameters and it's going to return that code right there. And of course, we've got to do it like so.
5:33 Alright, so now this should give us a non-discoverable, non-leaking how many users you have sort of id for account base here, so that's great.
5:42 Primary key should make it unique and indexed, we'll have our email, created account, confirm, super easy. I think we're good, we also don't need that.
5:51 For a simple beginner account I am going to declare this thing is ready to go.
5:55 Wait, it's not ready yet, I've realized there is one super important thing, that we need to store,
6:00 so we have our user id, you notice there is not a user name, I am just going to use email as the user name,
6:06 but when they log in, having the email is not enough, you would probably want to have a password, right, so we could write this,
6:14 do not write that, do not put the password in your database, do not put the plain text password in your database,
6:23 we are going to talk about how to deal with this but we're going to put a one-way hash of the password. Very strong, hard to reverse, in the database.
6:33 OK, now this account class is ready to roll.