Day 3: Authentication and Flask-Login

Today's Objective

User registration, password hashing with bcrypt, session management, and the Flask-Login decorators that protect views without repeating auth logic everywhere.

WTForms Integration

Terminal

pip install flask-wtf

app.py

app.config['SECRET_KEY'] = 'your-secret-key'  # required for CSRF

forms.py

from flask_wtf import FlaskForm
from wtforms import StringField, TextAreaField, EmailField
from wtforms.validators import DataRequired, Email, Length

class ContactForm(FlaskForm):
    name = StringField('Name', validators=[DataRequired(), Length(min=2, max=50)])
    email = EmailField('Email', validators=[DataRequired(), Email()])
    message = TextAreaField('Message', validators=[DataRequired(), Length(min=10)])

views.py

from .forms import ContactForm
from flask import flash

@app.route('/contact', methods=['GET', 'POST'])
def contact():
    form = ContactForm()
    if form.validate_on_submit():
        # form is valid and it was a POST
        flash('Message sent!', 'success')
        return redirect(url_for('index'))
    return render_template('contact.html', form=form)

templates/contact.html


  {{ form.hidden_tag() }}  {# CSRF token #}
  
    {{ form.name.label }}
    {{ form.name(class='input') }}
    {% for error in form.name.errors %}
      {{ error }}
    {% endfor %}
  
  {{ form.message.label }}
  {{ form.message() }}

📝 Day 3 Exercise

Build a Contact Form

Day 3 Summary

Flask-WTF wraps WTForms with CSRF protection. Always add form.hidden_tag() to your forms.
form.validate_on_submit() returns True only on valid POST requests — the one method you need.
Flash messages: flash('message', 'category') in the view, get_flashed_messages() in the template.
Post-Redirect-Get (PRG) pattern: after a successful POST, redirect. Prevents form resubmission on refresh.

→

← Previous

Day 2: SQLAlchemy and Databases

Day 4: Authentication

→

What's Next

The foundations from today carry directly into Day 4. In the next session the focus shifts to REST APIs and Flask-RESTful — building directly on everything covered here.

Supporting Videos & Reading

Go deeper with these external references.

YouTube

Authentication and Flask-Login — Video Walkthroughs Community tutorials and walkthroughs covering the concepts in this lesson.

→

YouTube

Authentication and Flask-Login Explained Deep-dive explanations and live-coding sessions from top educators.

→

Official Docs

Official Documentation Primary reference documentation for the technologies covered in this lesson.

→

GitHub

Open Source Examples Real-world codebases demonstrating the patterns taught in this lesson.

→

Day 3 Checkpoint

Before moving on, verify you can answer these without looking:

What is the core concept introduced in this lesson, and why does it matter?
What are the two or three most common mistakes practitioners make with this topic?
Can you explain the key code pattern from this lesson to a colleague in plain language?
What would break first if you skipped the safeguards or best practices described here?
How does today's topic connect to what comes in Day 4?

Live Bootcamp

Learn this in person — 2 days, 5 cities

Thu–Fri sessions in Denver, Los Angeles, New York, Chicago, and Dallas. $1,490 per seat. June–October 2026.

Reserve Your Seat →

Continue To Day 4

Day 4: Authentication

→