Flask Auth in One Line of Code

Ever since I wrote about the authentication problem in the Flask ecosystem a few months back, I’ve been working hard to build a simple abstraction to solve these issues.

When I launched the first version of Flask-Stormpath, I got a ton of incredibly great feedback from the community, and learned a lot — namely, people don’t want to worry about user authentication at all.

The Problem (a Recap) + A v.1 Solution

The “authentication problem” in the Flask ecosystem is this: since Flask has no built-in ORM or tooling — almost every Flask developer ends up rolling their own form of user authentication. There are currently no libraries which solve all of the authentication problems. So, I built a first release of a Flask + Stormpath integration, which solved some big authentication problems in Flask:

  • Centralized (secure) user store.
  • No need to worry about hashing passwords or JOIN’ing database tables — that bit was handled automatically.
  • Easy to use user accounts.
  • Secure sessions.

After launch, I got a ton of excellent user feedback (thanks everyone!). After talking with lots of people, using the library myself, and writing a beginner Flask app tutorial, I realized that the first version of Flask-Stormpath was not really as good as I initially thought.

Learning and Planning

I realized that by even explaining how to do things like create registration, login, and logout views was a total waste of time — why should developers have to do this stuff themselves?

So, I decided to revamp the initial Flask-Stormpath design and simplify all developer-facing code, such that:

  • Users could get registration, login, and logout working without writing any view code at all.
  • Users could control basic authentication features through app config variables (this way things are still flexible).
  • Users should be able to support social login with both Google and Facebook without doing any additional work.

Introducing the New Flask-Stormpath

I’m incredibly excited to announce the newest release of Flask-Stormpath — it contains a huge number of improvements over the first release, and makes handling user authentication in Flask apps incredibly simple.

In simple cases, registration, login, and logout are only a single line of code! No database required!

Here’s how this looks in practice:

As you can see, we’re defining some settings, and initializing a StormpathManager. What does this get you?

Firstly, you get a fully functional registration page out-of-the-box:

New Flask Registration Page

You also get a beautiful login page out-of-the-box (note the Google and Facebook buttons):

New Flask Login Page

And lastly, you get logout functionality (if a user visits /logout they’ll be logged out and redirected back to the site root).

There are currently three built-in views (along with templates and URL routes):

  • A registration view / template / route (bound to /register by default).
  • A login view / template / route (bound to /login by default).
  • A logout view / route (bound to /logout by default).

To make things even nicer, each of these views is 100% customizable — and dynamically configure themselves based on your Flask settings.

Let’s take a deeper look!

Authentication Customization

Let’s say you’d like to modify the registration fields you accept when signing up new users. Flask-Stormpath supports several user fields for registration:

  • email (required)
  • password (required)
  • given_name (first name)
  • surname (last name)
  • middle_name
  • username

So, let’s say you want to remove the first, middle, and last name fields from the registration page — you could simply set the following configuration variables:

And just like that, those fields will disappear:

New Flask Login Page (no names)

Want to include an optional username field? Simple! Just add the following config:

Each of the available fields can be both ‘ENABLED’ and ‘REQUIRED’ to your liking. This makes building dynamic registration / login pages incredibly easy.

But wait! There’s more!

You can also easily change the default routes around:

And changing templates is equally easy:

NOTE: The official template documentation has all the information you could ever need / want on how to build you own registration / login templates (it’s super easy!).

Furthermore, handling social login is incredibly simple. You can easily enable or disable social login support for both Facebook and Google by modifying configuration variables alone:

Full examples for adding social login to your site can be found here (including in-depth instructions for creating Facebook / Google apps).

And if you’re not interested in any of the automatic stuff that’s built in, you can disable it all with only three config variables:

Not bad, right?

New Design

The new Flask-Stormpath design is based around abstraction: the main idea is to make authentication as simple and painless as humanly possible. If you’re building a Flask app, you no longer have to worry about storing / securing user data at all — it’s completely handled, scaled, and secured.

From this point forward, I’ll be slowly adding more convenience features to the Flask-Stormpath integration to handle other things as well:

  • Email verification for new users.
  • API key authentication (an awesome new feature for securing REST APIs).
  • Password reset.
  • Distributed caching support (redis, memcache, etc.).

I’m extremely excited about the new Flask-Stormpath, and hope you are too!

If you end up giving it a try, I’d love to hear your feedback.

Furthermore, if you aren’t already a Stormpath user — you should go create an account right now! It’s free for up to 100,000 API requests per month! That means most small to medium sized projects can use Stormpath
for zero cost, ever.

And as always, I’d love to hear from you! Please hit me up (I’m [email protected]).