Python Flask POST / GET请求

Question

I need help with user authentication in my website. I am using python flask, sqlite3 and DB Browser for SQLite. I'm having trouble with the login part. Each time I try to login and redirect to an html website it says error 404.

Here is the code for the login page:

<!DOCTYPE html>
<html>
  <head>
    <meta charset = "UTF-8"/>
    <title>PackageDrop Login</title>
    <link type = "text/css" rel = "stylesheet" href="{{ url_for('static', filename='login.css') }}" />
    <link type = "text/css" rel = "stylesheet" href="{{ url_for('static', filename='cssmainpage.css') }}" />
  </head>
  <body>
    <form action="/login" method="POST" autocomplete="off">
    Username:<br>
    <input type="text" name="username">
    <br>
    Password:<br>
    <input type="password" name="password">
    <br><br>
    <input type="submit" value="Login">
    </body>
</html>

The page that is forwarded to is just simple html, nothing special so I am not uploading it. If you feel like you need more information to understand, ask and I will post quickly. Thanks for all the help I get.

EDIT1: Changed in the login.html the form action from "login.html" to "login" and now it gives a 400 Bad Request error.

EDIT2: The redirection works. I have changed the code for the login but it makes this error: "ProgrammingError: SQLite objects created in a thread can only be used in that same thread. The object was created in thread id 7812 and this is thread id 7388". The only thing that I did is just connect to the database like this: conn = sqlite3.connect('database.db') This is the new code for the login:

@app.route('/login', methods=['GET', 'POST'])
def login():
    error = None
    checkP = conn.execute('select pword from users where uname = request.form[\'username\']')
    arrayCheck = checkP.fetchall()
    if request.method == 'POST':
        if request.form['password'] != arrayCheck[[0][0]]:
            error = 'Incorrect password'
            return redirect(url_for('login.html'))
        elif len(arrayCheck) == 0:
            error = 'Username or password is incorrect'
            return redirect(url_for('login.html'))
        else:
            session['logged_in'] = True
            flash('You are logged in')
            return redirect(url_for("userpage"))
    return render_template('login.html')

Answer 1

Http 404 code means page not found . When you post your form your redirects is to userpage.html but your form action is to /login route. Your action should be the target page to redirect after post successfully action="/userpage" I assume you have userpage view function. Or you can leave action blank just try with redirect function redirect(url_for('userpage')) . Note url_for() function takes view function name not template name. One last thing I didn't pay attention on your login logic.

Answer 2

username = request.form['uname']
password = request.form['pword']
if request.form['uname'] != username:
    error = 'Incorrect username'
if request.form['pword'] != password:
    error = 'Incorrect password'

As Daniel Roseman explained this logic is flawed. What you need to do is compare password provided by the user with the password you have stored in your database.

In pseudo code, it would look something like this:

username = request.form['uname']
password = request.form['pword']
try:
    db_password = my_db.get('uname')
    if password == db_password:
        session['logged_in'] = True
    else: 
        error = "Password provided does not match Database"
except Exception as exc:
    error = "Could not obtain password from Database : {}".format(exc)

This is just minimum, of course you could improve on this.