unicode ID of a user, and return the corresponding user
│ │ │ object. For example:
│ │ │ @login_manager.user_loader
│ │ │ def load_user(user_id):
│ │ │ return User.get(user_id)
│ │ │ It should return None (not raise an exception) if the ID is not valid.
│ │ │ +
It should return None (not raise an exception) if the ID is not valid.
│ │ │ (In that case, the ID will manually be removed from the session and processing
│ │ │ will continue.)
The class that you use to represent users needs to implement these properties │ │ │ and methods:
│ │ │is_authenticatedTrue if the user is authenticated, i.e. they
│ │ │ +True if the user is authenticated, i.e. they
│ │ │ have provided valid credentials. (Only authenticated users will fulfill
│ │ │ the criteria of login_required.)is_activeTrue if this is an active user - in addition
│ │ │ +True if this is an active user - in addition
│ │ │ to being authenticated, they also have activated their account, not been
│ │ │ suspended, or any condition your application has for rejecting an account.
│ │ │ Inactive accounts may not log in (without being forced of course).is_anonymousTrue if this is an anonymous user. (Actual
│ │ │ -users should return False instead.)True if this is an anonymous user. (Actual
│ │ │ +users should return False instead.)get_id()unicode that uniquely identifies this user,
│ │ │ and can be used to load the user from the user_loader
│ │ │ callback. Note that this must be a unicode - if the ID is natively
│ │ │ -an int or some other type, you will need to convert it to unicode.int or some other type, you will need to convert it to unicode.
│ │ │ To make implementing a user class easier, you can inherit from UserMixin,
│ │ │ which provides default implementations for all of these properties and methods.
│ │ │ (It’s not required, though.)
Warning: You MUST validate the value of the next parameter. If you do not,
│ │ │ +
Warning: You MUST validate the value of the next parameter. If you do not,
│ │ │ your application will be vulnerable to open redirects. For an example
│ │ │ implementation of is_safe_url see this Flask Snippet.
It’s that simple. You can then access the logged-in user with the
│ │ │ current_user proxy, which is available in every template:
{% if current_user.is_authenticated %}
│ │ │ Hi {{ current_user.name }}!
│ │ │ {% endif %}
│ │ │ @@ -229,15 +229,15 @@
│ │ │ To customize the message category, set LoginManager.login_message_category:
login_manager.login_message_category = "info"
│ │ │ When the log in view is redirected to, it will have a next variable in the
│ │ │ query string, which is the page that the user was trying to access. Alternatively,
│ │ │ -if USE_SESSION_FOR_NEXT is True, the page is stored in the session under the
│ │ │ +if USE_SESSION_FOR_NEXT is True, the page is stored in the session under the
│ │ │ key next.
If you would like to customize the process further, decorate a function with
│ │ │ LoginManager.unauthorized_handler:
@login_manager.unauthorized_handler
│ │ │ def unauthorized():
│ │ │ # do stuff
│ │ │ return a_response
│ │ │ @@ -307,17 +307,17 @@
│ │ │ By default, when a user is not actually logged in, current_user is set to
│ │ │ an AnonymousUserMixin object. It has the following properties and methods:
is_active and is_authenticated are Falseis_anonymous is Trueget_id() returns Noneis_active and is_authenticated are Falseis_anonymous is Trueget_id() returns NoneIf you have custom requirements for anonymous users (for example, they need
│ │ │ to have a permissions field), you can provide a callable (either a class or
│ │ │ factory function) that creates anonymous users to the LoginManager with:
login_manager.anonymous_user = MyAnonymousUser
│ │ │ REMEMBER_COOKIE_NAMEremember_tokenREMEMBER_COOKIE_DURATIONdatetime.timedelta object or integer seconds.
│ │ │ +a datetime.timedelta object or integer seconds.
│ │ │ Default: 365 days (1 non-leap Gregorian year)REMEMBER_COOKIE_DOMAIN.example.com
│ │ │ would allow the cookie to be used on all
│ │ │ subdomains of example.com).
│ │ │ -Default: NoneNone
│ │ │ REMEMBER_COOKIE_PATH/REMEMBER_COOKIE_SECURENoneNone
│ │ │ REMEMBER_COOKIE_HTTPONLYFalseFalse
│ │ │ REMEMBER_COOKIE_REFRESH_EACH_REQUESTTrue the cookie is refreshed on every
│ │ │ +True the cookie is refreshed on every
│ │ │ request, which bumps the lifetime. Works like
│ │ │ -Flask’s SESSION_REFRESH_EACH_REQUEST.
│ │ │ -Default: FalseSESSION_REFRESH_EACH_REQUEST.
│ │ │ +Default: False
│ │ │ While the features above help secure your “Remember Me” token from cookie │ │ │ @@ -455,15 +455,15 @@ │ │ │
Or, to disable it:
│ │ │login_manager.session_protection = None
│ │ │ By default, it is activated in "basic" mode. It can be disabled in the
│ │ │ -app’s configuration by setting the SESSION_PROTECTION setting to None,
│ │ │ +app’s configuration by setting the SESSION_PROTECTION setting to None,
│ │ │ "basic", or "strong".
When session protection is active, each request, it generates an identifier │ │ │ for the user’s computer (basically, a secure hash of the IP address and user │ │ │ agent). If the session does not have an associated identifier, the one │ │ │ generated will be stored. If it has an identifier, and it matches the one │ │ │ generated, then the request is OK.
│ │ │If the identifiers do not match in basic mode, or when the session is
│ │ │ @@ -503,22 +503,22 @@
│ │ │ using your header_loader.
To make it easier for you to write automated tests, Flask-Login provides a
│ │ │ custom test client class that will set the user’s login cookie for you.
│ │ │ To use this custom test client class, assign it to the
│ │ │ -test_client_class attribute
│ │ │ +test_client_class attribute
│ │ │ on your application object, like this:
from flask_login import FlaskLoginClient
│ │ │
│ │ │ app.test_client_class = FlaskLoginClient
│ │ │ Next, use the app.test_client() method
│ │ │ +
Next, use the app.test_client() method
│ │ │ to make a test client, as you normally do. However, now you can pass a
│ │ │ user object to this method, and your client will be automatically
│ │ │ logged in with this user!
def test_simple(self):
│ │ │ user = User.query.get(1)
│ │ │ with app.test_client(user=user) as client:
│ │ │ # this request has user 1 already logged in!
│ │ │ @@ -625,15 +625,15 @@
│ │ │ header_loader(callback)[source]¶This function has been deprecated. Please use
│ │ │ LoginManager.request_loader() instead.
This sets the callback for loading a user from a header value.
│ │ │ The function you set should take an authentication token and
│ │ │ -return a user object, or None if the user does not exist.
None if the user does not exist.
│ │ │ | Parameters: | callback (callable) – The callback for retrieving a user object. | │ │ │
|---|
| Parameters: |
|
│ │ │
|---|
if not current_user.is_authenticated:
│ │ │ return current_app.login_manager.unauthorized()
│ │ │ …which is essentially the code that this function adds to your views.
│ │ │It can be convenient to globally turn off authentication when unit testing.
│ │ │ To enable this, if the application configuration variable LOGIN_DISABLED
│ │ │ -is set to True, this decorator will be ignored.
True, this decorator will be ignored.
│ │ │ Note
│ │ │Per W3 guidelines for CORS preflight requests,
│ │ │ HTTP OPTIONS requests are exempt from login checks.
| Parameters: |
|
│ │ │
|---|