This object is used to hold the settings used for logging in. Instances of are not bound to specific apps, so you can create one in the main body of your code and then bind it to your app in a factory function.
setup_app(app, add_context_processor=True)
This method has been deprecated. Please use LoginManager.init_app()
instead.
unauthorized()
This is called when the user is required to log in. If you register a callback with LoginManager.unauthorized_handler()
, then it will be called. Otherwise, it will take the following actions:
- If the app is using blueprints find the login view for the current blueprint using
blueprint_login_views
. If the app is not using blueprints or the login view for the current blueprint is not specified use the value of . Redirect the user to the login view. (The page they were attempting to access will be passed in thenext
query string variable, so you can redirect there if present instead of the homepage.)
If LoginManager.login_view
is not defined, then it will simply raise a HTTP 401 (Unauthorized) error instead.
This should be returned from a view or before/after_request function, otherwise the redirect will have no effect.
needs_refresh()
This is called when the user is logged in, but they need to be reauthenticated because their session is stale. If you register a callback with , then it will be called. Otherwise, it will take the following actions:
- Flash
LoginManager.needs_refresh_message
to the user. - Redirect the user to . (The page they were attempting to access will be passed in the
next
query string variable, so you can redirect there if present instead of the homepage.)
If LoginManager.refresh_view
is not defined, then it will simply raise a HTTP 401 (Unauthorized) error instead.
This should be returned from a view or before/after_request function, otherwise the redirect will have no effect.
General Configuration
user_loader(callback)
This sets the callback for reloading a user from the session. The function you set should take a user ID (a unicode
) and return a user object, or None
if the user does not exist.
Parameters: callback () – The callback for retrieving a user object.
header_loader(callback)
This sets the callback for loading a user from a header value. The function you set should take an authentication token and return a user object, or None
if the user does not exist.
Parameters: callback () – The callback for retrieving a user object.
token_loader(callback)
This sets the callback for loading a user from an authentication token. The function you set should take an authentication token (a unicode
, as returned by a user’s get_auth_token
method) and return a user object, or None
if the user does not exist.
Parameters: callback (callable) – The callback for retrieving a user object.
anonymous_user
A class or factory function that produces an anonymous user, which is used when no one is logged in.
Configuration
login_view
The name of the view to redirect to when the user needs to log in. (This can be an absolute URL as well, if your authentication machinery is external to your application.)
The message to flash when a user is redirected to the login page.
unauthorized_handler(callback)
This will set the callback for the unauthorized
method, which among other things is used by . It takes no arguments, and should return a response to be sent to the user instead of their normal view.
Parameters: callback (callable) – The callback for unauthorized users.
Configuration
refresh_view
The name of the view to redirect to when the user needs to reauthenticate.
needs_refresh_message
The message to flash when a user is redirected to the reauthentication page.
needs_refresh_handler(callback)
This will set the callback for the needs_refresh
method, which among other things is used by . It takes no arguments, and should return a response to be sent to the user instead of their normal view.
Parameters: callback (callable) – The callback for unauthorized users.
登录机制
flask.ext.login.current_user
A proxy for the current user.
flask.ext.login.login_fresh()
This returns True
if the current login is fresh.
flask.ext.login.login_user(user, remember=False, force=False, fresh=True)
Logs a user in. You should pass the actual user object to this. If the user’s is_active
property is False
, they will not be logged in unless force
is True
.
This will return True
if the log in attempt succeeds, and False
if it fails (i.e. because the user is inactive).
Parameters:
- user (object) – The user object to log in.
- remember () – Whether to remember the user after their session expires. Defaults to
False
. - force (bool) – If the user is inactive, setting this to
True
will log them in regardless. Defaults toFalse
.
marked as not “fresh”. Defaults to True
. :type fresh: bool
flask.ext.login.logout_user()
Logs a user out. (You do not need to pass the actual user.) This will also clean up the remember me cookie if it exists.
lask.ext.login.confirm_login()
This sets the current session as fresh. Sessions become stale when they are reloaded from a cookie.
flask.ext.login.login_required(func)
If you decorate a view with this, it will ensure that the current user is logged in and authenticated before calling the actual view. (If they are not, it calls the callback.) For example:
return current_app.login_manager.unauthorized()
…which is essentially the code that this function adds to your views.
It can be convenient to globally turn off authentication when unit testing. To enable this, if the application configuration variable LOGIN_DISABLED
is set to True
, this decorator will be ignored.
Parameters: func (function) – The view function to decorate.
flask.ext.login.fresh_login_required(func)
If you decorate a view with this, it will ensure that the current user’s login is fresh - i.e. there session was not restored from a ‘remember me’ cookie. Sensitive operations, like changing a password or e-mail, should be protected with this, to impede the efforts of cookie thieves.
If the user is not authenticated, is called as normal. If they are authenticated, but their session is not fresh, it will call LoginManager.needs_refresh()
instead. (In that case, you will need to provide a .)
Behaves identically to the login_required()
decorator with respect to configutation variables.
Parameters: func (function) – The view function to decorate.
用户对象助手
class flask.ext.login.UserMixin
This provides default implementations for the methods that Flask-Login expects user objects to have.
flask.ext.login.login_url(login_view, next_url=None, next_field='next')
Creates a URL for redirecting to a login page. If only login_view
is provided, this will just return the URL for it. If next_url
is provided, however, this will append a next=URL
parameter to the query string so that the login view can redirect back to that URL.
Parameters:
- login_view (str) – The name of the login view. (Alternately, the actual URL to the login view.)
- next_url () – The URL to give the login view for redirection.
- next_field (str) – What field to store the next URL in. (It defaults to
next
.)
flask.ext.login.make_secure_token(*args, **options)
This will create a secure token that you can use as an authentication token for your users. It uses heavy-duty HMAC encryption to prevent people from guessing the information. (To make it even more effective, if you will never need to regenerate the token, you can pass some random data as one of the arguments.)
Parameters:
- *args – The data to include in the token.
信号
如何在你的代码中使用这些信号请参阅 Flask documentation on signals。
flask.ext.login.user_logged_in
当一个用户登入的时候发出。除应用(信号的发送者)之外,它还传递正登入的用户 。
flask.ext.login.user_logged_out
当一个用户登出的时候发出。除应用(信号的发送者)之外,它还传递正登出的用户 user
。
flask.ext.login.user_login_confirmed
当用户的登入被证实,把它标记为活跃的。(它不用于常规登入的调用。) 它不接受应用以外的任何其它参数。
flask.ext.login.user_unauthorized
当 上的 unauthorized
方法被调用时发出。它不接受应用以外的任何其它参数。
flask.ext.login.user_needs_refresh
当 LoginManager
上的 needs_refresh
方法被调用时发出。它不接受应用以外的任何其它参数。
当会话保护起作用时,且会话被标记为非活跃或删除时发出。它不接受应用以外的任何其它参数。