Create a gist now

Instantly share code, notes, and snippets.

What would you like to do?
Flask login with wtfoms validation
class LoginForm(flask_wtf.Form):
"""
Validate login from
"""
email_validator = [flask_wtf.Required()]
pwd_validator = [flask_wtf.Required(), flask_wtf.Length(2)]
email = flask_wtf.TextField(u'email', validators=email_validator)
password = flask_wtf.PasswordField(u'password', validators=pwd_validator)
submit = flask_wtf.SubmitField("Login")
def _get_user(self, email):
return mongo.db.users.find_one({'email': email})
def validate_email(self, field):
if not self._get_user(field.data):
raise flask_wtf.ValidationError("Invalid email")
def validate_password(self, field):
user = self._get_user(self.email.data)
if user and user[u'password'] != field.data:
raise flask_wtf.ValidationError("Invalid password")
class Login(MethodView):
def __init__(self):
self.form = LoginForm()
def get(self):
return flask.render_template('login.html', login_form=self.form)
def post(self):
if self.form.validate():
flask.session['user'] = self.form.email.data
flask.flash('You were logged in')
return flask.redirect(flask.url_for("index"))
return flask.render_template('login.html', login_form=self.form)
app.add_url_rule('/login',
view_func=Login.as_view('login'),
methods=['POST', 'GET'])
@necronet

This comment has been minimized.

Show comment Hide comment
@necronet

necronet Aug 8, 2013

You cannot do this
def init(self):
self.form = LoginForm()

is out of the scope of working applicatoin contextg

necronet commented Aug 8, 2013

You cannot do this
def init(self):
self.form = LoginForm()

is out of the scope of working applicatoin contextg

@eneepo

This comment has been minimized.

Show comment Hide comment
@eneepo

eneepo Aug 17, 2014

There's a security concern with exposing specifically username is invalid or password is invalid(You solve half of the problem for mr hacker). In such cases it's better to say "username or password is invalid" without specifiing which one exactly.

eneepo commented Aug 17, 2014

There's a security concern with exposing specifically username is invalid or password is invalid(You solve half of the problem for mr hacker). In such cases it's better to say "username or password is invalid" without specifiing which one exactly.

@Frozenball

This comment has been minimized.

Show comment Hide comment
@Frozenball

Frozenball Aug 28, 2014

I don't think exposing username matters that much:

  1. Your project probably has public usernames anyway.
  2. Usability suffers.

I don't think exposing username matters that much:

  1. Your project probably has public usernames anyway.
  2. Usability suffers.
@brettgerry

This comment has been minimized.

Show comment Hide comment
@brettgerry

brettgerry Jan 13, 2015

TextField has now been deprecated in favor of StringField in WTForms. I suggest updated line 8 accordingly to:
email = flask_wtf.StringField(u'email', validators=email_validator)

TextField has now been deprecated in favor of StringField in WTForms. I suggest updated line 8 accordingly to:
email = flask_wtf.StringField(u'email', validators=email_validator)

@ruipacheco

This comment has been minimized.

Show comment Hide comment
@ruipacheco

ruipacheco Apr 15, 2016

Is this valid? The docs say it should be, for example, validate_email(form, field) not validate_email(self,field)

Is this valid? The docs say it should be, for example, validate_email(form, field) not validate_email(self,field)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment