Merge pull request #58 from tecladocode/master

Release lecture 5 on section 13, the @login_required decorator

Author: jslvtr

curriculum/section13/lectures/05_login_required_decorator/README.md

@@ -0,0 +1,71 @@
+---
+title: Making a 'login required' decorator
+slug: flask-login-required-decorator
+tags:
+    - Written
+    - How to
+categories:
+    - Video
+section_number: 13
+excerpt: "Make a decorator for Flask endpoints that redirects to the login page if the user isn't logged in."
+draft: true
+---
+
+# Making a 'login required' decorator
+
+Earlier this section we wrote a simple check in our `/protected` endpoint which acted as a gate for logged-out users.
+
+If the user is not logged in, they are redirected to the login page. Otherwise, the rest of the route runs as normal.
+
+This is such a common thing to do, that it's likely almost all your endpoints will have a check like that one:
+
+```py
+@app.get("/protected")
+def protected():
+    if not session.get("email"):
+        abort(401)
+    return render_template("protected.html")
+```
+
+## Writing the decorator
+
+A decorator in Python is a function that acts on another function, extending it by running some code either before or after it.
+
+I'd recommend learning about decorators in depth[^decorators_series_teclado] before continuing!
+
+Here's what our decorator looks like:
+
+```py
+def login_required(route):
+    @functools.wraps(route)
+    def route_wrapper(*args, **kwargs):
+        if session.get("email") is None:
+            return redirect(url_for("login"))
+
+        return route(*args, **kwargs)
+
+    return route_wrapper
+```
+
+And this is how we use it:
+
+```diff
+ @app.get("/protected")
++@login_required
+ def protected():
+     return render_template("protected.html")
+```
+
+With that, the `protected` function is _replaced by_ the `route_wrapper` function (although it keeps its name and docstring, if any):
+
+```py
+def route_wrapper(*args, **kwargs):
+    if session.get("email") is None:
+        return redirect(url_for("login"))
+
+    return route(*args, **kwargs)
+```
+
+Note that `route(*args, **kwargs)` is calling what was previously the `protected` function. What we've done is extracted the log in check so that any of our endpoints can be decorated with `@login_required` so the check runs before anything else does in the endpoint.
+
+[^decorators_series_teclado]: [How to write decorators in Python (The Teclado Blog)](https://blog.teclado.com/decorators-in-python/)

curriculum/section13/lectures/05_login_required_decorator/end/.flaskenv

@@ -0,0 +1,2 @@
+FLASK_APP=app
+FLASK_ENV=development

curriculum/section13/lectures/05_login_required_decorator/end/app/__init__.py

@@ -0,0 +1,76 @@
+import os
+import functools
+from flask import (
+    Flask,
+    session,
+    render_template,
+    request,
+    abort,
+    flash,
+    redirect,
+    url_for,
+)
+from passlib.hash import pbkdf2_sha256
+
+app = Flask(__name__)
+# Secret key generated with secrets.token_urlsafe()
+app.secret_key = "lkaQT-kAb6aIvqWETVcCQ28F-j-rP_PSEaCDdTynkXA"
+
+users = {}
+
+
+def login_required(route):
+    @functools.wraps(route)
+    def route_wrapper(*args, **kwargs):
+        if session.get("email") is None:
+            return redirect(url_for("login"))
+
+        return route(*args, **kwargs)
+
+    return route_wrapper
+
+
+@app.get("/")
+def home():
+    return render_template("home.html", email=session.get("email"))
+
+
+@app.get("/protected")
+@login_required
+def protected():
+    return render_template("protected.html")
+
+
+@app.route("/login", methods=["GET", "POST"])
+def login():
+    if request.method == "POST":
+        email = request.form.get("email")
+        password = request.form.get("password")
+
+        if pbkdf2_sha256.verify(password, users.get(email)):
+            session["email"] = email
+            return redirect(url_for("protected"))
+        else:
+            abort(401)
+    return render_template("login.html")
+
+
+@app.route("/signup", methods=["GET", "POST"])
+def signup():
+    if request.method == "POST":
+        email = request.form.get("email")
+        password = request.form.get("password")
+
+        users[email] = pbkdf2_sha256.hash(password)
+        # session["email"] = email
+        # - Setting the session here would be okay if you
+        # - want users to be logged in immediately after
+        # - signing up.
+        flash("Successfully signed up.")
+        return redirect(url_for("login"))
+    return render_template("signup.html")
+
+
+@app.errorhandler(401)
+def auth_error():
+    return "Not authorized"

curriculum/section13/lectures/05_login_required_decorator/end/app/templates/base.html

@@ -0,0 +1,18 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+  <meta charset="UTF-8">
+  <meta http-equiv="X-UA-Compatible" content="IE=edge">
+  <meta name="viewport" content="width=device-width, initial-scale=1.0">
+  <title>Authentication example</title>
+</head>
+<body>
+  {% for message in get_flashed_messages() %}
+    <div class="alert">
+      <p>{{ message }}</p>
+    </div>
+  {% endfor %}
+  {% block content %}
+  {% endblock %}
+</body>
+</html>

curriculum/section13/lectures/05_login_required_decorator/end/app/templates/home.html

@@ -0,0 +1,5 @@
+{% extends "base.html" %} {% block content %} {% if email %}
+<h1>Hello, {{ email }}</h1>
+{% else %}
+<h1>Hello. <a href="{{ url_for('login') }}">Log in</a>?</h1>
+{% endif %} {% endblock %}

curriculum/section13/lectures/05_login_required_decorator/end/app/templates/login.html

@@ -0,0 +1,14 @@
+{% extends "base.html" %} {% block content %}
+<form method="POST">
+  <label>
+    E-mail
+    <input type="email" name="email" />
+  </label>
+  <label>
+    Password
+    <input type="password" name="password" />
+  </label>
+  <input type="submit" value="Log in" />
+</form>
+<p><a href="{{ url_for('signup') }}">Sign up</a> instead</p>
+{% endblock %}

curriculum/section13/lectures/05_login_required_decorator/end/app/templates/protected.html

@@ -0,0 +1,13 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+    <meta charset="UTF-8">
+    <meta http-equiv="X-UA-Compatible" content="IE=edge">
+    <meta name="viewport" content="width=device-width, initial-scale=1.0">
+    <title>Protected endpoint</title>
+</head>
+<body>
+    <h1>You are logged in!</h1>
+    <p>Since you're seeing this page, you logged in successfully.</p>
+</body>
+</html>

curriculum/section13/lectures/05_login_required_decorator/end/app/templates/signup.html

@@ -0,0 +1,14 @@
+{% extends "base.html" %} {% block content %}
+<form method="POST">
+  <label>
+    E-mail
+    <input type="email" name="email" />
+  </label>
+  <label>
+    Password
+    <input type="password" name="password" />
+  </label>
+  <input type="submit" value="Sign up" />
+</form>
+<p><a href="{{ url_for('login') }}">Log in</a> instead</p>
+{% endblock %}

curriculum/section13/lectures/05_login_required_decorator/end/requirements.txt

@@ -0,0 +1,2 @@
+flask
+python-dotenv

curriculum/section13/lectures/05_login_required_decorator/start/.flaskenv

@@ -0,0 +1,2 @@
+FLASK_APP=app
+FLASK_ENV=development