Recently, I decided to learn Python, as part of learning I built a remote jobs (remote4africa) platform using Python Flask. In this post, I will show you step by step process for building a user authentication API using Python (Flask) and MySQL. The application will allow users to register and verify their email through an OTP Code sent to their email.
Note: This post assumes you have an understanding of Python Flask and MySQL.
Flask is a micro web framework written in Python. It allows python developers to build APIs or full web app (frontend and Backend).
When building a user authentication system, you should consider security and ease of use.
On security, you should not allow users to use weak passwords, especially if you are working on a critical application. You should also encrypt the password before storing in your database.
To build this I used the following dependencies:
cerberus: For validation
alembic: For Database Migration and Seeding
mysqlclient: For connecting to MySQL
Flask-SQLAlchemy, flask-marshmallow and marshmallow-sqlalchemy: For database object relational mapping
pyjwt: For JWT token generation
Flask-Mail: For email sending
celery and redis: For queue management
So let's get started
Step 1: Install and Set up your Flask Project.
You can follow the guide at Flask Official Documentation site or follow the steps below. Please ensure you have python3 and pip installed in your machine.
$ mkdir flaskauth $ cd flaskauth $ python3 -m venv venv $ . venv/bin/activate $ pip install Flask # pip install requirements.txt You can install your all the required packages together with Flask at once using a requirements.txt file. (This is provided in the source code).
The Python Flask App folder Structure
It is always advisable to use the package pattern to organise your project.
/yourapplication /yourapplication __init__.py /static style.css /templates layout.html index.html login.html ... Add a pyproject.toml or setup.py file next to the inner yourapplication folder with the following contents:
pyproject.toml
[build-system] requires = ["setuptools"] build-backend = "setuptools.build_meta" [project] name = "yourapplication" description = "yourapplication description" readme = "README.rst" version="1.0.0" requires-python = ">=3.11" dependencies = [ "Flask", "SQLAlchemy", "Flask-SQLAlchemy", "wheel", "pyjwt", "datetime", "uuid", "pytest", "coverage", "python-dotenv", "alembic", "mysqlclient", "flask-marshmallow", "marshmallow-sqlalchemy", "cerberus", "Flask-Mail", "celery", "redis" ] setup.py
from setuptools import setup setup( name='yourapplication', packages=['yourapplication'], include_package_data=True, install_requires=[ 'flask', ], py_modules=['config'] ) You can then install your application so it is importable:
$ pip install -e . You can use the flask command and run your application with the --app option that tells Flask where to find the application instance:
$ flask –app yourapplication run In our own case the application folder looks like the following:
/flaskauth /flaskauth __init__.py /models /auth /controllers /service /queue /templates config.py setup.py pyproject.toml /tests .env ... Step 2: Set up Database and Models
Since this is a simple application, we just need few tables for our database:
- users
- countries
- refresh_tokens
We create our baseModel models/base_model.py
from flask_sqlalchemy import SQLAlchemy from flask_marshmallow import Marshmallow from sqlalchemy.ext.declarative import declared_attr from flaskauth import app _PLURALS = {"y": "ies"} db = SQLAlchemy() ma = Marshmallow(app) class BaseModel(object): @declared_attr def __tablename__(cls): name = cls.__name__ if _PLURALS.get(name[-1].lower(), False): name = name[:-1] + _PLURALS[name[-1].lower()] else: name = name + "s" return name For Users table, we need email, first_name, last_name, password and other fields shown below. So we create the user and refresh token model models/user.py
from datetime import datetime from flaskauth.models.base_model import BaseModel, db, ma from flaskauth.models.country import Country class User(db.Model, BaseModel): __tablename__ = "users" id = db.Column(db.BigInteger, primary_key=True) email = db.Column(db.String(120), unique=True, nullable=False) password = db.Column(db.String(200), nullable=True) first_name = db.Column(db.String(200), nullable=False) last_name = db.Column(db.String(200), nullable=False) avatar = db.Column(db.String(250), nullable=True) country_id = db.Column(db.Integer, db.ForeignKey('countries.id', onupdate='CASCADE', ondelete='SET NULL'), nullable=True) is_verified = db.Column(db.Boolean, default=False, nullable=False) verification_code = db.Column(db.String(200), nullable=True) created_at = db.Column(db.DateTime, nullable=False, default=datetime.utcnow) updated_at = db.Column(db.DateTime, nullable=True, onupdate=datetime.utcnow) deleted_at = db.Column(db.DateTime, nullable=True) country = db.relationship('Country', backref=db.backref('users', lazy=True)) refresh_tokens = db.relationship('RefreshToken', backref=db.backref('users', lazy=True)) class RefreshToken(db.Model, BaseModel): __tablename__ = "refresh_tokens" id = db.Column(db.BigInteger, primary_key=True) token = db.Column(db.String(200), unique=True, nullable=False) user_id = db.Column(db.BigInteger, db.ForeignKey(User.id, onupdate='CASCADE', ondelete='CASCADE'), nullable=False) expired_at = db.Column(db.DateTime, nullable=False) created_at = db.Column(db.DateTime, nullable=False, default=datetime.utcnow) updated_at = db.Column(db.DateTime, nullable=True, onupdate=datetime.utcnow) We also create the country model
from flaskauth.models.base_model import BaseModel, db from flaskauth.models.region import Region class Country(db.Model, BaseModel): __tablename__ = "countries" id = db.Column(db.Integer, primary_key=True) name = db.Column(db.String(100), unique=True, nullable=False) code = db.Column(db.String(3), unique=True, nullable=False) For migration and seeding (creating the tables on the database and importing default data), we will use alembic. I will show you how to do this later.
Step 3: Create the __init__.py file
In this file we will initiate the flask application, establish database connection and also set up the queue. The init.py file makes Python treat directories containing it as modules.
import os from flask import Flask, make_response, jsonify from jsonschema import ValidationError def create_app(test_config=None): app = Flask(__name__, instance_relative_config=True) if test_config is None: app.config.from_object('config.ProductionConfig') else: app.config.from_object('config.DevelopmentConfig') # ensure the instance folder exists try: os.makedirs(app.instance_path) except OSError: pass return app app = create_app(test_config=None) from flaskauth.models.base_model import db, BaseModel db.init_app(app) from flaskauth.models.user import User from celery import Celery def make_celery(app): celery = Celery(app.name) celery.conf.update(app.config["CELERY_CONFIG"]) class ContextTask(celery.Task): def __call__(self, *args, **kwargs): with app.app_context(): return self.run(*args, **kwargs) celery.Task = ContextTask return celery celery = make_celery(app) from flaskauth.auth import auth from flaskauth.queue import queue from flaskauth.controllers import user app.register_blueprint(auth, url_prefix='/auth') app.register_blueprint(queue) @app.route("/hello") def hello_message() -> str: return jsonify({"message": "Hello It Works"}) @app.errorhandler(400) def bad_request(error): if isinstance(error.description, ValidationError): original_error = error.description return make_response(jsonify({'error': original_error.message}), 400) # handle other "Bad Request"-errors # return error return make_response(jsonify({'error': error.description}), 400) This file loads our application by calling all the models and controllers needed.
The first function create_app is for creating a global Flask instance, it is the assigned to app
app = create_app(test_config=None) We then import our database and base model from models/base_model.py
We are using SQLAlchemy as ORM for our database, we also use Marshmallow for serialization/deserialization of our database objects.
With the imported db, we initiate the db connection.
Next we use the make_celery(app) to initiate the celery instance to handle queue and email sending.
Next we import the main parts of our applications (models, controllers and other functions).
app.register_blueprint(auth, url_prefix='/auth') app.register_blueprint(queue) The above will register the queue and auth blueprints. In the auth blueprint we handle all routes that starts with /auth
@app.route("/hello") def hello_message() -> str: return jsonify({"message": "Hello It Works"}) We will use this to test that our application is running.
The bad_request(error): function will handle any errors not handled by our application.
The Authentication
To handle authentication we will create a file auth/controllers.py
This file has the register function that will handle POST request. We also need to handle data validation to ensure the user is sending the right information.
from werkzeug.security import generate_password_hash, check_password_hash from flaskauth import app from flaskauth.auth import auth from flask import request, make_response, jsonify, g, url_for from datetime import timedelta, datetime as dt from flaskauth.models.user import db, User, RefreshToken, UserSchema from sqlalchemy.exc import SQLAlchemyError from cerberus import Validator, errors from flaskauth.service.errorhandler import CustomErrorHandler from flaskauth.queue.email import send_email from flaskauth.service.tokenservice import otp, secret, jwtEncode from flaskauth.service.api_response import success, error @auth.route("/register", methods=['POST']) def register(): schema = { 'email': { 'type': 'string', 'required': True, 'regex': '^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\.[a-zA-Z0-9-.]+$' }, 'password': { 'type': 'string', 'required': True, 'min': 6 }, 'first_name': { 'type': 'string', 'required': True, 'min': 2 }, 'last_name': { 'type': 'string', 'required': True, 'min': 2, } } v = Validator(schema, error_handler=CustomErrorHandler) form_data = request.get_json() args = request.args if(v.validate(form_data, schema) == False): return v.errors email = form_data['email'] verification_code = otp(7) try: new_user = User( email= form_data['email'], password = generate_password_hash(form_data['password']), first_name= form_data['first_name'], last_name= form_data['last_name'], verification_code = secret(verification_code), ) db.session.add(new_user) db.session.commit() except SQLAlchemyError as e: # error = str(e.__dict__['orig']) message = str(e) return error({}, message, 400) # return make_response(jsonify({'error': error}), 400) # Send verification email appName = app.config["APP_NAME"].capitalize() email_data = { 'subject': 'Account Verification on ' + appName, 'to': email, 'body': '', 'name': form_data['first_name'], 'callBack': verification_code, 'template': 'verification_email' } send_email.delay(email_data) message = 'Registration Successful, check your email for OTP code to verify your account' return success({}, message, 200) For validation I used cerberus. Cerberus is a python package that makes validation easy, it returns errors in json format when a validation fail. You can also provide custom error message like below.
from cerberus import errors class CustomErrorHandler(errors.BasicErrorHandler): messages = errors.BasicErrorHandler.messages.copy() messages[errors.REGEX_MISMATCH.code] = 'Invalid Email!' messages[errors.REQUIRED_FIELD.code] = '{field} is required!' The register function validates the data, if successful, we then generate an otp/verification code using the otp(total) function. We then hash the code for storage in database using the secret(code=None) function.
def secret(code=None): if not code: code = str(datetime.utcnow()) + otp(5) return hashlib.sha224(code.encode("utf8")).hexdigest() def otp(total): return str(''.join(random.choices(string.ascii_uppercase + string.digits, k=total))) We hash the user's password using the werkzeug.security generate_password_hash inbuilt function in flask and store the record in database. We are using SQLAlchemy to handle this.
After storing the user details, we schedule email to be sent immediately to the user.
# Send verification email appName = app.config["APP_NAME"].capitalize() email_data = { 'subject': 'Account Verification on ' + appName, 'to': email, 'body': '', 'name': form_data['first_name'], 'callBack': verification_code, 'template': 'verification_email' } send_email.delay(email_data) Then, we return a response to the user
message = 'Registration Successful, check your email for OTP code to verify your account' return success({}, message, 200) To handle responses, I created a success and error functions under services/api_response.py
from flask import make_response, jsonify def success(data, message: str=None, code: int = 200): data['status'] = 'Success' data['message'] = message data['success'] = True return make_response(jsonify(data), code) def error(data, message: str, code: int): data['status'] = 'Error' data['message'] = message data['success'] = False return make_response(jsonify(data), code) We have other functions to handle email verification with OTP, login and refresh_token.
Verify account
@auth.route("/verify", methods=['POST']) def verifyAccount(): schema = { 'otp': { 'type': 'string', 'required': True, 'min': 6 }, } v = Validator(schema, error_handler=CustomErrorHandler) form_data = request.get_json() if(v.validate(form_data, schema) == False): return v.errors otp = form_data['otp'] hash_otp = secret(otp) user = User.query.filter_by(verification_code = hash_otp).first() if not user: message = 'Failed to verify account, Invalid OTP Code' return error({},message, 401) user.verification_code = None user.is_verified = True db.session.commit() message = 'Verification Successful! Login to your account' return success({}, message, 200) Login user
This function handles POST request and validates the user's email and password. We first check if a record with the user's email exists, if not, we return an error response. If user's email exists, we check_password_hash function to check if the password supplied is valid.
If the password is valid, we call the authenticated function to generate and store a refresh token, generate a JWT token and the return a response with both tokens to the user.
@auth.route("/login", methods=['POST']) def login(): schema = { 'email': { 'type': 'string', 'required': True, 'regex': '^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\.[a-zA-Z0-9-.]+$' }, 'password': { 'type': 'string', 'required': True, 'min': 6 }, } v = Validator(schema, error_handler=CustomErrorHandler) form_data = request.get_json() user = User.query.filter_by(email = form_data['email']).first() if not user: message = 'Login failed! Invalid account.' return error({}, message, 401) if not check_password_hash(user.password, form_data['password']): message = 'Login failed! Invalid password.' return error({}, message, 401) return authenticated(user) def authenticated(user: User): refresh_token = secret() try: refreshToken = RefreshToken( user_id = user.id, token = refresh_token, expired_at = dt.utcnow() + timedelta(minutes = int(app.config['REFRESH_TOKEN_DURATION'])) ) db.session.add(refreshToken) db.session.commit() except SQLAlchemyError as e: # error = str(e.__dict__['orig']) message = str(e) return error({}, message, 400) # del user['password'] user_schema = UserSchema() data = { "token": jwtEncode(user), "refresh_token": refresh_token, "user": user_schema.dump(user) } message = "Login Successful, Welcome Back" return success(data, message, 200) The response with the token will look like this:
{ "expired_at": "Wed, 10 Jan 2024 16:43:48 GMT", "message": "Login Successful, Welcome Back", "refresh_token": "a5b5ehghghjk8truur9kj4f999bf6c01d34892df768", "status": "Success", "success": true, "token": "eyK0eCAiOiJDhQiLCJhbGciOI1NiJ9.eyJzdWIiOjEsImlhdCI6MTY3MzM2OTAyOCwiZXhwIjoxNjczOTczODI4fQ.a6fn7z8v9K5EmqZO7-J8VkY2u_Kdffh8aOVuWjTH138", "user": { "avatar": null, "country": { "code": "NG", "id": 158, "name": "Nigeria" }, "country_id": 158, "created_at": "2022-12-09T16:00:48", "email": "user@example.com", "first_name": "John", "id": 145, "is_verified": true, "last_name": "Doe", "updated_at": "2022-12-10T12:17:45" } } The refresh token is useful for keeping a user logged without requesting for login information every time. Once JWT token is expired a user can use the refresh token to request a new JWT token. This can be handled by the frontend without asking the user for login details.
@auth.route("/refresh", methods=['POST']) def refreshToken(): schema = { 'refresh_token': { 'type': 'string', 'required': True, }, } v = Validator(schema, error_handler=CustomErrorHandler) form_data = request.get_json() now = dt.utcnow() refresh_token = RefreshToken.query.filter(token == form_data['refresh_token'], expired_at >= now).first() if not refresh_token: message = "Token expired, please login" return error({}, message, 401) user = User.query.filter_by(id = refresh_token.user_id).first() if not user: message = "Invalid User" return error({}, message, 403) data = { "token": jwtEncode(user), "id": user.id } message = "Token Successfully refreshed" return success(data, message, 200) You can access the full source code on GitHub HERE
Step 4: Install and Run the application
You can run the application by executing the following on your terminal
flask --app flaskauth run Ensure the virtual environment is active and you're on the root project folder when you run this.
Alternatively, you don't need to be in the root project folder to run the command if you installed the application using the command below
$ pip install -e . To ensure email is delivering set up SMTP crediential in the .env file
APP_NAME=flaskauth FLASK_APP=flaskauth FLASK_DEBUG=True FLASK_TESTING=False SQLALCHEMY_DATABASE_URI=mysql://root:@localhost/flaskauth_db?charset=utf8mb4 MAIL_SERVER='smtp.mailtrap.io' MAIL_USERNAME= MAIL_PASSWORD= MAIL_PORT=2525 MAIL_USE_TLS=True MAIL_USE_SSL=False MAIL_DEFAULT_SENDER='info@flaskauth.app' MAIL_DEBUG=True SERVER_NAME= AWS_SECRET_KEY= AWS_KEY_ID= AWS_BUCKET= JWT_DURATION=10080 REFRESH_TOKEN_DURATION=525600 Also, run the celery application to handle queue and email sending
celery -A flaskauth.celery worker --loglevel=INFO Step 5: Run Database Migration and Seeding
We will use alembic package to handle migration. Alembic is already installed as part of our requirements. Also, see the source code for the migration files. We will run the following to migrate.
alembic upgrade head You can use alembic to generate database migrations. For example, to create users table run
alembic revision -m "create users table" This will generate a migration file, similar to the following:
"""create users table Revision ID: 9d4a5cb3f558 Revises: 5b9768c1b705 Create Date: 2023-01-10 18:34:09.608403 """ from alembic import op import sqlalchemy as sa # revision identifiers, used by Alembic. revision = '9d4a5cb3f558' down_revision = '5b9768c1b705' branch_labels = None depends_on = None def upgrade() -> None: pass def downgrade() -> None: pass You can then edit it to the following:
"""create users table Revision ID: 9d4a5cb3f558 Revises: None Create Date: 2023-01-10 18:34:09.608403 """ from alembic import op import sqlalchemy as sa # revision identifiers, used by Alembic. revision = '9d4a5cb3f558' down_revision = None branch_labels = None depends_on = None def upgrade() -> None: op.create_table('users', sa.Column('id', sa.BigInteger(), nullable=False), sa.Column('email', sa.String(length=120), nullable=False), sa.Column('password', sa.String(length=200), nullable=True), sa.Column('first_name', sa.String(length=200), nullable=False), sa.Column('last_name', sa.String(length=200), nullable=False), sa.Column('avatar', sa.String(length=250), nullable=True), sa.Column('country_id', sa.Integer(), nullable=True), sa.Column('is_verified', sa.Boolean(), nullable=False), sa.Column('verification_code', sa.String(length=200), nullable=True), sa.Column('created_at', sa.DateTime(), nullable=False), sa.Column('updated_at', sa.DateTime(), nullable=True), sa.Column('deleted_at', sa.DateTime(), nullable=True), sa.ForeignKeyConstraint(['country_id'], ['countries.id'], onupdate='CASCADE', ondelete='SET NULL'), sa.PrimaryKeyConstraint('id'), sa.UniqueConstraint('email') ) # ### end Alembic commands ### def downgrade() -> None: op.drop_table('users') # ### end Alembic commands ### You can also auto generate migration files from your models using the following:
alembic revision --autogenerate Note: For auto generation to work, you have to import your app context into the alembic env.py file. See source code for example.
Conclusion
After completing the database migration, you can go ahead and test the app buy sending requests to http://localhost:5000/auth/register using Postman, remember to supply all the necessary data, example below:
{ "email": "ade@example.com", "password": "password", "first_name": "Ade", "last_name": "Emeka" "country": "NG" } Let me know your thoughts and feedback below.
Top comments (1)
well written, write some devops projects