# Flask Security *** **1. User Registration and Login** ```python @app.route('/register', methods=['GET', 'POST']) def register(): if current_user.is_authenticated: return redirect(url_for('home')) form = RegisterForm() if form.validate_on_submit(): user = User(email=form.email.data, password=security.hash_password(form.password.data)) db.session.add(user) db.session.commit() security.login_user(user) return redirect(url_for('home')) return render_template('register.html', form=form) @app.route('/login', methods=['GET', 'POST']) def login(): if current_user.is_authenticated: return redirect(url_for('home')) form = LoginForm() if form.validate_on_submit(): user = User.query.filter_by(email=form.email.data).first() if user and security.check_password_hash(user.password, form.password.data): security.login_user(user) return redirect(url_for('home')) return render_template('login.html', form=form, error='Invalid credentials') return render_template('login.html', form=form) ``` **2. User Profile** ```python @app.route('/profile', methods=['GET', 'POST']) @login_required def profile(): form = ProfileForm(current_user.email, current_user.password) if form.validate_on_submit(): current_user.email = form.email.data if form.password.data: current_user.password = security.hash_password(form.password.data) db.session.commit() security.login_user(current_user) return redirect(url_for('profile')) return render_template('profile.html', form=form) ``` **3. User Roles and Permissions** ```python class Role(db.Model): id = db.Column(db.Integer, primary_key=True) name = db.Column(db.String(80), unique=True) description = db.Column(db.String(255)) class User(db.Model): id = db.Column(db.Integer, primary_key=True) email = db.Column(db.String(255), unique=True) password = db.Column(db.String(255)) roles = db.relationship('Role', secondary='roles_users', backref=db.backref('users', lazy='dynamic')) class Permission(db.Model): id = db.Column(db.Integer, primary_key=True) name = db.Column(db.String(80), unique=True) description = db.Column(db.String(255)) class RolePermission(db.Model): id = db.Column(db.Integer, primary_key=True) role_id = db.Column(db.Integer, db.ForeignKey('role.id')) permission_id = db.Column(db.Integer, db.ForeignKey('permission.id')) ``` **4. Role-Based Access Control (RBAC)** ```python @app.route('/secret') @roles_required('admin') def secret(): return 'This is a secret page' ``` **5. Permission-Based Access Control (PBAC)** ```python @app.route('/protected') @has_permission('access_protected_page') def protected(): return 'This is a protected page' ``` **6. Multiple Roles and Permissions** ```python @app.route('/special') @roles_required('admin', 'moderator') @has_permission('create_post') def special(): return 'This is a special page' ``` **7. Multiple Login Methods (e.g., email, username)** ```python @security.login_manager.user_loader def load_user(identifier): return User.query.get(identifier) or User.query.filter_by(email=identifier).first() ``` **8. OAuth Login** ```python # Configure OAuth providers app.config['SECURITY_OAUTH2_PROVIDERS'] = { 'facebook': { 'client_id': 'your_client_id', 'client_secret': 'your_client_secret' }, 'google': { 'client_id': 'your_client_id', 'client_secret': 'your_client_secret' } } # Callback routes for OAuth providers @app.route('/oauth2callback/facebook') def facebook_callback(): return security.process_social_login('facebook') @app.route('/oauth2callback/google') def google_callback(): return security.process_social_login('google') ``` **9. Passwordless Authentication (via Email)** ```python # Configure email settings for passwordless authentication app.config['SECURITY_PASSWORDLESS_EMAIL_LOGIN'] = True app.config['SECURITY_PASSWORDLESS_EMAIL_SENDER'] = 'email_sender@example.com' # Callback for handling passwordless login @app.route('/passwordless', methods=['GET', 'POST']) def passwordless(): if request.method == 'GET': return render_template('passwordless.html') email = request.form.get('email') security.send_passwordless_login_email(email) return 'Email sent' ``` **10. TOTP (Two-Factor Authentication)** ```python # Configure TOTP settings app.config['SECURITY_TOTP_SECRET_LENGTH'] = 16 app.config['SECURITY_TOTP_TIME_STEP'] = 30 app.config['SECURITY_TOTP_DIGITS'] = 6 app.config['SECURITY_TOTP_ALGORITHM'] = 'sha1' # Enable TOTP for users @app.route('/enable_totp', methods=['GET', 'POST']) @login_required def enable_totp(): if request.method == 'GET': return render_template('enable_totp.html') if request.method == 'POST': secret = security.generate_totp_secret() security.store_totp_secret(current_user, secret) return redirect(url_for('profile')) ``` **11. CSRF Protection** ```python # Install Flask-WTF or Flask-Form to use CSRF tokens csrf = CSRFProtect(app) ``` **12. Token-Based Authentication (JWT)** ```python # Install Flask-JWT-Extended to use JWTs app.config['JWT_SECRET_KEY'] = 'your_secret_key' jwt = JWTManager(app) @app.route('/protected') @jwt_required def protected(): current_user = get_jwt_identity() return 'This is a protected page' ``` **13. User Tracking and Auditing** ```python # Enable Flask-Login's user tracking app.config['SECURITY_TRACK_USER_LOGIN'] = True app.config['SECURITY_TRACK_USER_CHANGE_PASSWORD'] = True ``` **14. Password Reset** ```python @app.route('/reset', methods=['GET', 'POST']) def reset(): if request.method == 'GET': return render_template('reset.html') email = request.form.get('email') user = User.query.filter_by(email=email).first() if user: security.send_reset_password_email(user) return 'Email sent' ``` **15. Password Hash Caching** ```python # Enable password hash caching to improve performance app.config['SECURITY_PASSWORD_HASH_CACHE'] = True ``` **16. Password Verification Customization** ```python # Custom password verification function def verify_password(password, hashed_password): # Your custom password verification logic return True # Register your custom password verification function security.verify_password = verify_password ``` **17. Role and Permission Customization** ```python # Custom role and permission models class Role(db.Model): id = db.Column(db.Integer, primary_key=True) name = db.Column(db.String(80), unique=True) class Permission(db.Model): id = db.Column(db.Integer, primary_key=True) name = db.Column(db.String(80), unique=True) # Register your custom role and permission models security.datastore.role_model = Role security.datastore.permission_model = Permission ``` **18. User Authentication Handler Customization** ```python # Custom user authentication handler class MyAuthenticationHandler(security.AuthenticationHandler): def authenticate(self, email, password): # Your custom authentication logic return True # Register your custom authentication handler security.authentication_handler = MyAuthenticationHandler ``` **19. User Registration Handler Customization** ```python # Custom user registration handler class MyRegistrationHandler(security.RegistrationHandler): def register(self, email, password): # Your custom registration logic return True # Register your custom registration handler security.registration_handler = MyRegistrationHandler ``` **20. Password Reset Handler Customization** ```python # Custom password reset handler class MyResetPasswordHandler(security.ResetPasswordHandler): def reset(self, user): # Your custom password reset logic return True # Register your custom password reset handler security.reset_password_handler = MyResetPasswordHandler ``` **21. Token Handler Customization** ```python # Custom token handler class MyTokenHandler(security.TokenHandler): def generate_token(self, user): # Your custom token generation logic return 'your_custom_token' # Register your custom token handler security.token_handler = MyTokenHandler ``` **22. User Deactivation** ```python @app.route('/deactivate') @login_required def deactivate(): security.deactivate_user(current_user) return redirect(url_for('login')) ``` **23. User Reactivation** ```python @app.route('/reactivate') @login_required def reactivate(): security.reactivate_user(current_user) return redirect(url_for('home')) ``` **24. User Confirmation** ```python # Enable user confirmation app.config['SECURITY_CONFIRMABLE'] = True # Customize email for user confirmation app.config['SECURITY_CONFIRM_EMAIL_SENDER'] = 'email_sender@example.com' # Callback for handling user confirmation @app.route('/confirm/') def confirm(token): security.confirm_user(token) return 'Email confirmed' ``` **25. User Tracking** ```python # Install Flask-Login-Tracker to track user activity user_tracker = LoginTracker(app) ``` **26. Email Multi-Factor Authentication** ```python # Enable email multi-factor authentication app.config['SECURITY_TWO_FACTOR_ENABLED'] = True app.config['SECURITY_TWO_FACTOR_METHODS'] = ['email'] # Callback for handling second factor authentication @app.route('/mfa') @login_required def mfa(): security.send_two_factor_email(current_user) return render_template('mfa.html') @app.route('/mfa/verify', methods=['GET', 'POST']) @login_required def mfa_verify(): token = request.args.get('token') security.verify_two_factor_token(current_user, token) return redirect(url_for('home')) ``` **27. reCAPTCHA Integration** ```python # Install Flask-ReCAPTCHA to integrate reCAPTCHA app.config['RECAPTCHA_PUBLIC_KEY'] = 'your_public_key' app.config['RECAPTCHA_PRIVATE_KEY'] = 'your_private_key' # Add reCAPTCHA to registration and login forms class RegisterForm(Form): recaptcha = RecaptchaField() class LoginForm(Form): recaptcha = RecaptchaField() ``` **28. Social Registration** ```python # Configure social registration providers app.config['SECURITY_SOCIAL_PROVIDERS'] = { 'facebook': { 'client_id': 'your_client_id', 'client_secret': 'your_client_secret' }, 'google': { 'client_id': 'your_client_id', 'client_secret': 'your_client_secret' } } # Callback routes for social registration providers @app.route('/social/login/facebook') def facebook_login(): return security.process_social_registration('facebook') @app.route('/social/login/google') def google_login(): return security.process_social_registration('google') ``` **29. Social Link** ```python # Add social link buttons to user profile @app.route('/profile') @login_required def profile(): return render_template('profile.html', social_links=security.get_social_links(current_user)) ``` **30. Custom User Model** ```python class User(db.Model): id = db.Column(db.Integer, primary_key=True) username = db.Column(db.String(80), unique=True) email = db.Column(db.String(255), unique=True) password = db.Column(db.String(255)) active = db.Column(db.Boolean()) # Register your custom user model security.datastore.user_model = User ``` **31. Custom Role Model** ```python class Role(db.Model): id = db.Column(db.Integer, primary_key=True) name = db.Column(db.String(80), unique=True) description = db.Column(db.String(255)) # Register your custom role model security.datastore.role_model = Role ``` **32. Custom Permission Model** ```python class Permission(db.Model): id = db.Column(db.Integer, primary_key=True) name = db.Column(db.String(80), unique=True) description = db.Column(db.String(255)) # Register your custom permission model security.datastore.permission_model = Permission ``` **33. Custom Role Endpoint** ```python @app.route('/roles') @login_required def roles(): return render_template('roles.html', roles=security.datastore.find_all_roles()) ``` **34. Custom Permission Endpoint** ```python @app.route('/permissions') @login_required def permissions(): return render_template('permissions.html', permissions=security.datastore.find_all_permissions()) ``` **35. Custom User Endpoint** ```python @app.route('/users') @login_required def users(): return render_template('users.html', users=security.datastore.find_all_users()) ``` **36. Custom Token Endpoint** ```python @app.route('/tokens') @login_required def tokens(): return render_template('tokens.html', tokens=security.datastore.find_all_tokens()) ```