Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- # Flask-Login: Do we really need a Login page?
- ### Let's think about it for a moment...
- Login page is a de-facto standard for web applications, no question. But do we really need a **separate**
- login page? Because after logging in we navigate users to somewhere else anyway right?
- So what we need is merely a login **form** not a login **page**. A separate login page comes with
- the need of `next` parameter to keep track of. Without redirection - we don't need it anymore.
- With today's power of template engine. We can turns any page to a login form without a separate/dedicate
- login page and without `next` parameter to taking care of. Let's see how we can do that.
- First we move login logic to **LoginManager.unauthorized_handler** where we will handle our login process.
- We then ditch the usual redirect mechanism we're used to redirect users to login page. Instead we replace the target page content
- with our login form - right on that page.
- ```python
- @login_manager.unauthorized_handler
- def unauthorized():
- if request.method == 'POST':
- login_id = request.form.get('login_id')
- password = request.form.get('password')
- user = User.query.filter_by(login_id=login_id, password=password).first()
- if user:
- login_user(user)
- return redirect(request.referrer) # redirect to target page if authenticated
- return render_template('login.html') # otherwise replace page content with login form
- ```
- From the code above, `@login_manager.unauthorized_handler` intercepts all unauthorized requests to any `@login_required` decorated endpoints.
- Instead of redirect to a separate login page, it replace target page's content with login form using `render_template('login.html')`.
- This keep users lands on target page but with the login form presented instead of actual page content. Thus no `next` parameter to worry
- as users already get there.
- Once users submit their credentials and is authenticated, it redirects them back to the same page using `request.referrer`. This maintain
- any URL paramters (if there is) and also flush away previous POST request so users can refresh the page without being ask to re-submit form data.
- Finally, to make any page a login page, all we need is to allow **POST** request to the endpoint and decorate it with `@login_required`.
- ```python
- @app.route('/account', methods=['GET','POST']) # allow POST to every @login_required endpoint
- @login_required
- def account():
- # do stuff
- # other stuff
- return render_template('account.html', **locals())
- ```
- And don't forget to remove a line that says `login_manager.login_view = 'whatever.login'` as we no longer need it.
- Pretty simple right? And any page can now be a login page:
- ```html
- {% if current_user.is_anonymous %}
- <a href=/account>Log in</a>
- {% else %}
- # ...
- {% endif %}
- ```
- As a bonus, authenticated users will never see a login page as long as they are logged in. Unlike typical, separate login page where authenticated users can get there by typing login endpoint directly in the address bar.
- This should make for a better login experience.
Add Comment
Please, Sign In to add comment