52.md

# 使用 Flask 登录验证

> 原文： [https://pythonspot.com/login-authentication-with-flask/](https://pythonspot.com/login-authentication-with-flask/)

![flask-logo](img/18374e2fa266165025a38238c3cdc35f.jpg)

The Flask Logo

在本教程中，您将学习如何使用 [Flask](https://pythonspot.com/en/python-flask-tutorials/) 和 Python 构建登录 Web 应用程序。

### 建立一个 Flask 登录屏幕

Create this Python file and save it as app.py:

```py
from flask import Flask
from flask import Flask, flash, redirect, render_template, request, session, abort
import os

app = Flask(__name__)

@app.route('/')
def home():
if not session.get('logged_in'):
return render_template('login.html')
else:
return "Hello Boss!"

@app.route('/login', methods=['POST'])
def do_admin_login():
if request.form['password'] == 'password' and request.form['username'] == 'admin':
session['logged_in'] = True
else:
flash('wrong password!')
return home()

if __name__ == "__main__":
app.secret_key = os.urandom(12)
app.run(debug=True,host='0.0.0.0', port=4000)

```

在此处创建了两条路由（您可以在浏览器 URL 栏中看到的路径）：

```py
@app.route('/')
@app.route('/login', methods=['POST'])

```

第一个显示基于登录条件的登录屏幕或主屏幕。第二个路由在登录时验证登录变量。

我们创建目录/ templates /。 使用以下代码创建文件/templates/login.html：

```py
&#123;% block body %&#125;
&#123;% if session['logged_in'] %&#125;

You're logged in already!

&#123;% else %&#125;
<form action="/login" method="POST">
  <input type="username" name="username" placeholder="Username">
<input type="password" name="password" placeholder="Password">
<input type="submit" value="Log in">
</form>
&#123;% endif %&#125;
&#123;% endblock %&#125;
&#123;% endraw %&#125;

```

使用以下命令运行 Web 应用程序：

```py
$ python hello.py

```

在您的网络浏览器中打开 [http：// localhost：4000 /](http://localhost:5000/) ，然后会出现登录屏幕。 登录凭据显示在 _do_admin_login（）_ 函数中。

<caption id=”attachment_49” align=”alignnone” width=”620”]![Pythonspot.com Login Screen Python](img/00af7aae4e992d7feccf73ba2c75cb8f.jpg)

Pythonspot.com Login Screen Python

### 使它看起来很棒

While functional, the login screen looks like an early 90s User Interface (UI). We picked a random login template from [codepen.io](https://codepen.io). We create the directory /static/ with the file style.css.

```py
* {
box-sizing: border-box;
}

*:focus {
outline: none;
}
body {
font-family: Arial;
background-color: #3498DB;
padding: 50px;
}
.login {
margin: 20px auto;
width: 300px;
}
.login-screen {
background-color: #FFF;
padding: 20px;
border-radius: 5px
}

.app-title {
text-align: center;
color: #777;
}

.login-form {
text-align: center;
}
.control-group {
margin-bottom: 10px;
}

input {
text-align: center;
background-color: #ECF0F1;
border: 2px solid transparent;
border-radius: 3px;
font-size: 16px;
font-weight: 200;
padding: 10px 0;
width: 250px;
transition: border .5s;
}

input:focus {
border: 2px solid #3498DB;
box-shadow: none;
}

.btn {
border: 2px solid transparent;
background: #3498DB;
color: #ffffff;
font-size: 16px;
line-height: 25px;
padding: 10px 0;
text-decoration: none;
text-shadow: none;
border-radius: 3px;
box-shadow: none;
transition: 0.25s;
display: block;
width: 250px;
margin: 0 auto;
}

.btn:hover {
background-color: #2980B9;
}

.login-link {
font-size: 12px;
color: #444;
display: block;
margin-top: 12px;
}

```

Modify the login.html template as:

```py
 	 	 	<link rel="stylesheet" href="/static/style.css" type="text/css">
&#123;% block body %&#125;

<form action="/login" method="POST">
<div class="login">
<div class="login-screen">
<div class="app-title">
<h1>Login</h1>
</div>
<div class="login-form">
<div class="control-group">
				<input type="text" class="login-field" value="" placeholder="username" name="username">
<label class="login-field-icon fui-user" for="login-name"></label></div>
<div class="control-group">
				<input type="password" class="login-field" value="" placeholder="password" name="password">
<label class="login-field-icon fui-lock" for="login-pass"></label></div>
<input type="submit" value="Log in" class="btn btn-primary btn-large btn-block">

</div>
</div>
</div>
</form>
&#123;% endblock %&#125;

```

Once you restart the application this screen should appear:

<caption id=”attachment_267” align=”alignnone” width=”823”]![Python login screen Flask](img/fb0c1e80aa99b4e5cdf8e4159b31d784.jpg)

Python login screen [**Flask**](https://pythonspot.com/en/python-flask-tutorials/)

很棒，不是吗？ :-)

### 那么注销呢？

As you may have seen, there is no logout button or functionality. Creating that is very easy. The solution proposed below is only one of the many solutions. We create a new route /logout which directs to the function logout(). This function clears the session variable and returns to the login screen.

```py
@app.route("/logout")
def logout():
session['logged_in'] = False
return home()

```

完整代码：

```py
from flask import Flask
from flask import Flask, flash, redirect, render_template, request, session, abort
import os

app = Flask(__name__)

@app.route('/')
def home():
if not session.get('logged_in'):
return render_template('login.html')
else:
return "Hello Boss!  <a href="/logout">Logout</a>"

@app.route('/login', methods=['POST'])
def do_admin_login():
if request.form['password'] == 'password' and request.form['username'] == 'admin':
session['logged_in'] = True
else:
flash('wrong password!')
return home()

@app.route("/logout")
def logout():
session['logged_in'] = False
return home()

if __name__ == "__main__":
app.secret_key = os.urandom(12)
app.run(debug=True,host='0.0.0.0', port=4000)

```

### 连接数据库

If you want a multi-user login system, you should add a database layer to the application. Flask does not have out of the box database support. You have to use a third party library if you want database support. In this tutorial we will use SqlAlchemy. If you do not have that installed type:

```py
$ sudo pip install Flask-SqlAlchemy

```

SQLAlchemy 是用于 Python 编程语言的 SQL 工具箱和对象关系映射器（ORM）。 它支持 MySQL，Microsoft SQL Server 和许多其他关系数据库管理系统。 如果您不熟悉所有这些术语，请继续阅读。

创建文件 _**tabledef.py：**_

```py
from sqlalchemy import *
from sqlalchemy import create_engine, ForeignKey
from sqlalchemy import Column, Date, Integer, String
from sqlalchemy.ext.declarative import declarative_base
from sqlalchemy.orm import relationship, backref

engine = create_engine('sqlite:///tutorial.db', echo=True)
Base = declarative_base()

########################################################################
class User(Base):
""""""
__tablename__ = "users"

id = Column(Integer, primary_key=True)
username = Column(String)
password = Column(String)

#----------------------------------------------------------------------
def __init__(self, username, password):
""""""
self.username = username
self.password = password

# create tables
Base.metadata.create_all(engine)

```

使用以下命令执行：

```py
python tabledef.py

```

该文件将创建数据库结构。 在目录内，您将找到一个名为 _tutorial.db 的文件。_ 创建一个名为 **dummy.py** 的文件，其中将包含以下代码：

```py
import datetime
from sqlalchemy import create_engine
from sqlalchemy.orm import sessionmaker
from tabledef import *

engine = create_engine('sqlite:///tutorial.db', echo=True)

# create a Session
Session = sessionmaker(bind=engine)
session = Session()

user = User("admin","password")
session.add(user)

user = User("python","python")
session.add(user)

user = User("jumpiness","python")
session.add(user)

# commit the record the database
session.commit()

session.commit()

```

执行：

```py
$ python dummy.py

```

这会将伪数据放入数据库中。 最后，我们更新 **app.py**

## 使用 SqlAlchemy 验证登录凭据

下一步是编写验证数据库中存在的用户和密码的功能。 使用 SqlAlchemy 我们可以做到这一点（虚拟/伪代码）：

```py
@app.route('/test')
def test():

POST_USERNAME = "python"
POST_PASSWORD = "python"

Session = sessionmaker(bind=engine)
s = Session()
query = s.query(User).filter(User.username.in_([POST_USERNAME]), User.password.in_([POST_PASSWORD]) )
result = query.first()
if result:
return "Object found"
else:
return "Object not found " + POST_USERNAME + " " + POST_PASSWORD

```

我们使用 SqlAlchemys Oject 关系映射（ORM）。 我们将对象映射到关系数据库表，反之亦然。 定义（用户）在 tabledef.py 中给出。 s.query 函数是构建查询的地方。 我们有两个条件：用户名和密码必须匹配。 如果对象存在，query.first（）返回 true，否则返回 false。 这给出了以下总代码：

```py
from flask import Flask
from flask import Flask, flash, redirect, render_template, request, session, abort
import os
from sqlalchemy.orm import sessionmaker
from tabledef import *
engine = create_engine('sqlite:///tutorial.db', echo=True)

app = Flask(__name__)

@app.route('/')
def home():
if not session.get('logged_in'):
return render_template('login.html')
else:
return "Hello Boss!  <a href="/logout">Logout</a>"

@app.route('/login', methods=['POST'])
def do_admin_login():

POST_USERNAME = str(request.form['username'])
POST_PASSWORD = str(request.form['password'])

Session = sessionmaker(bind=engine)
s = Session()
query = s.query(User).filter(User.username.in_([POST_USERNAME]), User.password.in_([POST_PASSWORD]) )
result = query.first()
if result:
session['logged_in'] = True
else:
flash('wrong password!')
return home()

@app.route("/logout")
def logout():
session['logged_in'] = False
return home()

if __name__ == "__main__":
app.secret_key = os.urandom(12)
app.run(debug=True,host='0.0.0.0', port=4000)

```

现在，您可以使用数据库表中定义的任何用户登录。

### 那么安全性呢？

We have demonstrated a simple login app above. However, it is your job to properly secure it. There are many guys out there that are going to try to break into your app.

[下载烧瓶示例](https://pythonspot.com/en/download-flask-examples/)

_ 最佳做法：_

*   [散列数据库密码](https://en.wikipedia.org/wiki/Hash_function)。 不要将它们存储为纯文本格式。

*   使用 [HTTPS](https://en.wikipedia.org/wiki/HTTPS) 来保护连接。

*   记录失败的登录尝试。

*   使用验证码可以防止暴力破解登录。

*   其他？ 在评论中写下它们。