使用werkzeug 实现密码散列
from werkzeug.security import generate_password_hash,check_password_hash class User(db.Model):
__tablename__ = 'users'
id = db.Column(db.Integer, primary_key=True)
username = db.Column(db.String(64), unique=True,index=True)
role_id=db.Column(db.Integer,db.ForeignKey('roles.id'))
password_hash=db.Column(db.String(128))
@property
def password(self):
raise AttributeError('密码不是一个可读属性') #只写属性
@password.setter
def password(self,password):
self.password_hash = generate_password_hash(password) def verify_password(self,password):
return check_password_hash(self.password_hash,password) def __repr__(self):
return '<User %r>' % self.username
密码散列化测试tests/test_url_model.py
#!/usr/bin/env python
# -*- coding:utf-8 -*-
import unittest
from app.models import User
class UserModelTestCase(unittest.TestCase):
def test_password_setter(self):
u = User(password='cat')
self.assertTrue(u.password_hash is not None)
def test_no_password_getter(self):
u = User(password='cat')
with self.assertRaises(AttributeError):
u.password
def test_password_verification(self):
u = User(password='cat')
self.assertTrue(u.verify_password('cat'))
self.assertFalse(u.verify_password('dog'))
def test_password_salts_are_random(self):
u =User(password='cat')
u2=User(password='cat')
self.assertTrue(u.password_hash != u2.password_hash)
创建用户认证蓝本
app/auth/__init__.py
#!/usr/bin/env python
# -*- coding:utf-8 -*-
from flask import Blueprint
auth = Blueprint('auth',__name__)
from . import views
app/auth/views.py 蓝本路由和视图函数
#!/usr/bin/env python
# -*- coding:utf-8 -*-
from flask import render_template
from . import auth @auth.route('/login')
def login():
return render_template('auth/login.html')
app/__init__.py 注册蓝本
from .auth import auth as auth_blueprint
app.register_blueprint(auth_blueprint,url_prefix='/auth')
安装flask-login插件
pip install flask-login
修改User模型,支持用户登陆 app/models.py
from flask_login import UserMixin class User(UserMixin,db.Model):
__tablename__ = 'users'
id = db.Column(db.Integer, primary_key=True)
email=db.Column(db.String(64),unique=True,index=True)
username = db.Column(db.String(64), unique=True,index=True)
role_id=db.Column(db.Integer,db.ForeignKey('roles.id'))
password_hash=db.Column(db.String(128))
app/__init__.py 初始化Flask_Login
from flask_login import LoginManager
#初始化Flask-Login
login_manager=LoginManager()
login_manager.session_protection='strong' # 记录客户端ip,用户代理信息,发现异动,登出用户,可以设置不同等级None,'basic','strong'
login_manager.login_view='auth.login' # 设置登录页面端点,蓝本的名字也要加到前面 def create_app(config_name):
#....
login_manager.init_app(app) #初始化登陆
#....
app/models.py 加载用户的回掉函数
from . import login_manager # 加载用户的回调函数
@login_manager.user_loader
def load_user(user_id):
return User.query.get(int(user_id))
# 加载用户回掉函数,接收以Unicode字符串表示的用户标识符,如果能找到这个用户必须返回用户对象,否则返回None
保护路由
为了只让认证的用户访问,未认证的用户会拦截请求,发往登陆页面
#保护路由
@app.route('/secret')
@login_required
def secret():
return '只有认证后的用户才能登陆'
添加登陆表单
app/auth/forms.py
from flask_wtf import FlaskForm
from wtforms import StringField,PasswordField,BooleanField,SubmitField
from wtforms.validators import DataRequired,Length,Email class LoginForm(FlaskForm):
email=StringField('邮箱',validators=[DataRequired(),Length(1,64),Email()])
password=PasswordField('密码',validators=[DataRequired()])
remember_me=BooleanField('保持登陆')
submit = SubmitField('登陆')
auth/login.html 用wtf.quick_form()渲染表单
{% extends 'base.html' %}
{% import'bootstrap/wtf.html' as wtf %}
{% block title %}Flask-登陆{% endblock %}
{% block page_content %}
<div class="page-header">
<h1>登陆</h1>
</div>
<div class="col-md-4">
{{ wtf.quick_form(form) }}
</div>
{% endblock %}
base.html # current_user.is_authenticated 如果是匿名用户登陆is_authenticated返回False,这个方法可以判断当前用户是否登陆
<ul class="nav navbar-nav navbar-right">
{% if current_user.is_authenticated %}
<li><a href="{{ url_for('auth.logout') }}">退出登陆</a></li>
{% else %}
<li><a href="{{ url_for('auth.login') }}">立即登陆</a></li>
{% endif %}
</ul>
登入用户
app/auth/views.py #登陆路由
from flask import render_template,redirect,request,url_for,flash
from flask_login import login_user,login_required,logout_user,current_user
from . import auth
from ..models import User
from .forms import LoginForm @auth.route('/login',methods=['get','post'])
def login():
form = LoginForm()
if form.validate_on_submit(): # 验证表单数据
user = User.query.filter_by(email=form.email.data).first()
if user is not None and user.verify_password(form.password.data): # verify_password会验证表单数据
login_user(user,form.remember_me.data) # 如果为True则为用户生成长期有效的cookies
return redirect(request.args.get('next') or url_for('main.index'))# next保存原地址(从request.args字典中读取)
flash('用户名或密码无效')
return render_template('auth/login.html',form=form)
更新登陆模板auth/login.html
{% extends 'base.html' %}
{% import'bootstrap/wtf.html' as wtf %}
{% block title %}Flask-登陆{% endblock %}
{% block page_content %}
<div class="page-header">
<h1>登陆</h1>
</div>
<div class="col-md-4">
{{ wtf.quick_form(form) }}
</div>
{% endblock %}
登出用户
auth/views.py
from flask_login import login_user,login_required,logout_user,current_user
@auth.route('/logout')
@login_required
def logout():
logout_user()
flash('你已经退出')
return redirect(url_for('main.index'))
测试登陆 index.html
<h1>Hello,
{% if current_user.is_authenticated %}
{{ current_user.username }}
{% else %}
访客
{% endif %}!
</h1>
注册新用户
添加用户注册表单
from flask_wtf import FlaskForm
from wtforms import StringField,PasswordField,BooleanField,SubmitField
from wtforms.validators import DataRequired,Length,Email,Regexp,EqualTo
from ..models import User class RegistrationForm(FlaskForm):
email = StringField('邮箱', validators=[DataRequired(), Length(1, 64), Email()])
username= StringField('用户名', validators=[DataRequired(), Length(1, 64), Regexp('^[A-Za-z][A-Za-z0-9_.]*$',0,'用户名必须是字母,数字,点号,下划线')])
password = PasswordField('密码', validators=[DataRequired(),EqualTo('password2',message='密码不一致')])
password2 = PasswordField('再次输入密码', validators=[DataRequired()])
submit = SubmitField('注册')
def validate_email(self,filed):
if User.query.filter_by(email=filed.data).first():
raise ValidationError('邮箱已被注册')
def validate_username(self,filed):
if User.query.filter_by(username=filed.data).first():
raise ValidationError('用户名已被使用')
auth/register.html
{% extends 'base.html' %}
{% import'bootstrap/wtf.html' as wtf %}
{% block title %}Flask-注册{% endblock %}
{% block page_content %}
<div class="page-header">
<h1>注册</h1>
</div>
<div class="col-md-4">
{{ wtf.quick_form(form) }}
</div>
{% endblock %}
auth/login.html 添加链接到注册页面
<p>新用户?<a href="{{ url_for('auth.register') }}">点击这里注册</a></p>
app/auth/views.py
@auth.route('/register',methods=['get','post'])
def register():
form = RegistrationForm()
if form.validate_on_submit():
user=User(email = form.email.data,
username=form.username.data,
password=form.password.data)
db.session.add(user)
flash('你现在已经登陆了')
return redirect(url_for('auth.login'))
return render_template('auth/register.html',form=form)
确认账户
使用isdangerous生成确认令牌
app/models.py 确认用户账户
from itsdangerous import TimedJSONWebSignatureSerializer as Serializer
from flask import current_app
from . import db
class User(UserMixin,db.Model):
# ...
confirmed = db.Column(db.Boolean,default=False)
def generate_confirmation_token(self,expiration=3600): #生成令牌,有效期1小时
s = Serializer(current_app.config['SECRET_KEY'],expiration)
return s.dumps({'confirm':self.id})
def confirm(self,token): # 检验令牌 如果通过把confirmed字段设为True
s=Serializer(current_app.config['SECRET_KEY'])
try:
data = s.loads(token)
except:
return False
if data.get('confirm') !=self.id: # 检查令牌id是否存储是已登录用户进行匹配
return False
self.confirmed=True
db.session.add(self)
return True
发送确认邮件
auth/views.py
from ..email import send_mail
@auth.route('/register',methods=['get','post'])
def register():
form = RegistrationForm()
if form.validate_on_submit():
user=User(email = form.email.data,
username=form.username.data,
password=form.password.data)
db.session.add(user)
db.session.commit()
token = user.generate_confirmation_token()
send_mail(user.email,'确认你的账户','auth/email/confirm',user=user,token=token)
flash('我们已经给你发送了一封确认邮件')
return redirect(url_for('main.index'))
return render_template('auth/register.html',form=form)
auth/email/cinfirm.txt
亲爱的,{{ user.username }}
欢迎来到 Flasky
为了确认您的账户,请点击以下链接:
{{ url_for('auth.confirm',token=token,_external=True) }} #返回绝对路径
Flasky 团队
auth/views.py
from flask_login import current_user
@auth.route('/confirm/<token>')
@login_required # 保护这个路由,用户需要先登录
def confirm(token):
if current_user.confirmed:
return redirect(url_for('main.index'))
if current_user.confirm(token):
flash('你已经确认了你的账户,谢谢')
else:
flash('确认链接失效或过期')
return redirect(url_for('main.index'))
app/auth/views.py 使用before_app_request来全局使用处理程序中未确认的用户
@auth.before_app_request # 如果返回响应或重定向,会直接发送至客户端,不会调用请求视图函数
def before_request():
if current_user.is_authenticated\
and not current_user.confirmed \
and request.endpoint[:5] != 'auth.'\ #访问路由获取权限
and request.endpoint != 'static':
return redirect(url_for('auth.unconfirmed')) @auth.route('/unconfirmed')
def unconfirmed():
if current_user.is_anonymous or current_user.confirmed:
return redirect(url_for('main.index'))
return render_template('auth/unconfirmed.html')
auth/views.py 重新发送确认邮件
@auth.route('/confirm')
@login_required
def resend_confirmation():
token=current_user.generate_confirmation_token()
send_mail(current_user.email,'确认你的账户','auth/email/confirm',user=current_user,token=token)
flash('一封新的确认邮件已经发送到您的邮箱')
return redirect(url_for('main.index'))
管理账户:
修改密码 重设密码 修改电子邮件地址
https://github.com/Erick-LONG/flask_blog/commit/3748e70d9f986b066328185bcf417d8b8205ed8c https://github.com/Erick-LONG/flask_blog/commit/ce4a67d31f0d7d5f5c6719eebb193b2949c77b0c https://github.com/Erick-LONG/flask_blog/commit/f89ef3dac3819129165be4d9b2a67a2bb092cf34