I want to obtain csrf-token provided by flask-wtf and assign it to a variable for future use with my flask app architecture. There's a way to either render it with hidden field {{ form.csrf_token }} or via csrf_token() for jinja. But docs do not mention how to achieve, say, the following:
from flask import Flask, jsonify
from flask_wtf.csrf import CSRFProtect
app = Flask(__name__)
app.secret_key = 'secret'
csrf = CSRFProtect(app)
#app.route('/api/get/endpoint_which_returns_json/', methods=['GET'])
def api():
csrf_token = # ??? what belongs here ???
return jsonify({'token': csrf_token})
if __name__ == '__main__':
app.run(debug=True)
How to achieve that? Thank you in advance.
When you use {{ form.csrf_token }} or {{ csrf_token() }} in your templates through Flask-WTF, they are just calling the flask_wtf.csrf.generate_csrf() function. You can import that and call it yourself to generate a token inside your view:
from flask_wtf.csrf import generate_csrf
#app.route('/', methods=['GET'])
def api():
return jsonify({'token': generate_csrf()})
I'm assuming the idea here is that the api client would be responsible for returning the token with POST requests to your other api resources? If you are just generating the token server-side so as to be able to validate forms that would otherwise require it, you may as well just disable CSRF protection.
Related
When i try to display the variable "balance" in my HTML code,it will appear in the page but it won't update when using a function that has to update it,and it keeps returning me the same value (10) when running the app on browser.
<a href="{{ url_for('deposit10')}}" class='btn btn-primary'>10</a>
Balance: {{ balance }}
from flask import Flask, render_template
app = Flask(__name__)
balance=10
..
..
..
#app.route('/home', methods = ['GET', 'POST'])
def deposit10(balance,safe):
if balance>=10:
balance-=10
safe+=10
return render_template("game1.html", balance=balance)
else:
return 0
I’m new to web development. I have learned how to make a web sever using flask. What I want to do is make an html button run python code from the web server when it is clicked. Is this even possible? If so, can someone point me to some html examples that can do that?
Update: I think I found some code that might work with what I’m asking. I don’t know for sure if it would work or not.
Here is the link:
Call a python function within a html file
If I were to convert the “click a link” aspect of the code to “click a button” would it run my python code on the viewers end, not my end?
It is Possible in Two ways
Create an HTML form and button to submit the form. The from can call the post URL on the flask server
Add some javascript to the HTML and call any HTTP method /url that you have created using the flask server.
You can use button with form or with JavaScript
Form
Normally to use button you need <form> which sends request to Flask to url defined in action="..." and Flask sends back response (text/HTML) and browser automatically put it in window in place of previous HTML - so server has to generate full HTML again and again.
from flask import Flask, request, render_template_string
import datetime
app = Flask(__name__)
#app.route('/')
def index():
return render_template_string('''<form action="/page" method="POST">
<button type="submit" name="btn" value="Button 1">Button 1</button>
<button type="submit" name="btn" value="Button 2">Button 2</button>
<button type="submit" name="btn" value="Button 3">Button 3</button>
</form>''')
#app.route('/page', methods=['GET', 'POST'])
def page():
value = request.form.get('btn') # gives text from `value="Button 1"`
return f'You pressed {value} at ' + datetime.datetime.now().strftime('%Y.%m.%d %H:%M.%S')
if __name__ == '__main__':
#app.debug = True
app.run() #debug=True
And the same using empty action="" so it sends request to the same url and it needs to check request.method to run different code
from flask import Flask, request, render_template_string
import datetime
app = Flask(__name__)
#app.route('/', methods=['GET', 'POST'])
def index():
if request.method == 'POST':
value = request.form.get('btn') # gives text from `value="Button 1"`
info = f'You pressed {value} at ' + datetime.datetime.now().strftime('%Y.%m.%d %H:%M.%S')
else:
info = ""
return render_template_string('''<form action="" method="POST">
<button type="submit" name="btn" value="Button 1">Button 1</button>
<button type="submit" name="btn" value="Button 2">Button 2</button>
<button type="submit" name="btn" value="Button 3">Button 3</button>
</form>{{text}}''', text=info)
if __name__ == '__main__':
#app.debug = True
app.run() #debug=True
JavaScript
If you want to execute Flask code without reloading all HTML then you need to use JavaScript which can send request to server using old
XMLHttpRequest or modern fetch(), get response and replace only part of HTML. Often in this method server sends JSON data and JavaScript may use it to replace HTML in different places.
And this method need to learn JavaScript to create something more complex.
from flask import Flask, request, render_template_string
import datetime
app = Flask(__name__)
#app.route('/')
def index():
return render_template_string('''
<button onclick="my_function()">Get Time</button>
<span id="time">Press Button to see current time on server.</span>
<script>
span_time = document.querySelector("#time");
function my_function(){
fetch('/get_time')
.then(res => res.text())
.then(text => span_time.innerHTML = text);
}
</script>
''')
#app.route('/get_time')
def time():
return datetime.datetime.now().strftime('%Y.%m.%d %H:%M.%S')
if __name__ == '__main__':
#app.debug = True
app.run() #debug=True
In examples I use render_template_string instead of render_template to make code simpler - now everyone can copy code and paste to one file and run it.
I've been testing whether routes exist using
def test_index(self):
r = self.app.get("/")
self.assertEqual(200, r.status_code, "Status code was not 'OK'.")
My template has a hyperlink to another page. Is there a way to test if this exists?
Well, if you are testing templates, every template you render is the result of a request to some route. If you render url's in a template using url_for(), then it will raise a BuildError if the url is pointing to a non existing route, and the server will return the status code 500. Therefore, you don't need to parse your templates manually for testing purposes if you just check the route instead.
Example:
from flask import Flask, render_template_string
app = Flask(__name__)
#app.route('/index')
def index():
return render_template_string("""
{{ url_for('index') }}
{{ url_for('blabla') }}
""")
def test_index(self):
r = self.app.get("/index")
self.assertEqual(200, r.status_code, "Status code was not 'OK'.")
This will result in a
routing.BuildError: Could not build url for endpoint 'blabla'. Did you mean 'static' instead? error, which makes your tests fail.
I hope this explanation is clear enough!
I'd like to create and fill out a Flask WTF-Form using only python code. However, the form doesn't automatically generate a CSRF token when I create it with python code. Is there any way to do this manually?
The form in question:
from flask_wtf import Form
from wtforms import StringField
from wtforms.validators import DataRequired, URL
class URLForm(Form):
url = StringField('url', validators=[DataRequired(), URL(), Level3Url()])
the code I use to generate the form:
from forms import URLForm
form = URLForm()
if 'url' in request.args:
url = request.args.get('url')
form.url.data = url
if form.validate():
...
You'd be effectively disabling CSRF protection by generating and passing a token to the form locally. It's only effective when the user submits a previously generated token.
Since you're not using CSRF protection, disable it. You can also pass request.args as the source of data.
form = URLForm(request.args, csrf_enabled=False)
If you want to use CSRF for this form, then the form needs to send the csrf_token field, which can be rendered with {{ form.csrf_token }} or {{ form.hidden_tag() }}.
In newest version of flask_wtf (0.14.2) you can disable csrf token in this way.
form = URLForm(request.args, meta={'csrf': False})
So there's this flask app that I'm working on for this project and I need it to run in a loop at timed variables to check for the status of certain variables and then give a output accordingly. However, the problem I have is I need to render a template in Flask before the loop restarts. In the changelog on http://flask.pocoo.org/ it's indicated that it's possible to render templates without using the request context but I haven't seen any real examples of this. So is there a way to render templates in Flask without having to use the request context without getting any errors? Any help that can be given is appreciated.
UPDATE:
Here's the code I'm working with
from flask import Flask, render_template, request, flash, redirect, url_for
import flask
import time
from flask.ext.assets import Environment, Bundle
from flask_wtf import Form
from wtforms import TextField, TextAreaField, SubmitField
from wtforms.validators import InputRequired
CSRF_ENABLED = True
app = Flask(__name__)
app.secret_key = 'development key'
app = flask.Flask('my app')
assets = Environment(app)
assets.url = app.static_url_path
scss = Bundle('scss/app.scss', filters='scss', output='css/app.css')
assets.register('app_scss', scss)
#app.route('/')
def server_1():
r=1
g=2
b=3
i=g
if i == g:
with app.app_context():
print "Loading Template..."
rendered = flask.render_template('server_1.html', green=True)
print "Success! Template was loaded with green server status..."
time.sleep(5)
if __name__ == '__main__':
app.run(port=5000, debug=True)
You can do it by binding your application as the current application. Then you can use render_template() to render a template from your template directory, or render_template_string() to render directly from a template stored in a string:
import flask
app = flask.Flask('my app')
with app.app_context():
context = {'name': 'bob', 'age': 22}
rendered = flask.render_template('index.html', **context)
with app.app_context():
template = '{{ name }} is {{ age }} years old.'
context = {'name': 'bob', 'age': 22}
rendered = flask.render_template_string(template, **context)
Alternatively you could bypass Flask and go directly to Jinja2:
import jinja2
template = jinja2.Template('{{ name }} is {{ age }} years old.')
rendered = template.render(name='Ginger', age=10)
Update
It appears that you might be wanting to stream content back to the requesting client. If so you could write a generator. Something like this might work:
import time
from flask import Flask, Response, render_template_string
from flask import stream_with_context
app = Flask(__name__)
#app.route("/")
def server_1():
def generate_output():
age = 0
template = '<p>{{ name }} is {{ age }} seconds old.</p>'
context = {'name': 'bob'}
while True:
context['age'] = age
yield render_template_string(template, **context)
time.sleep(5)
age += 5
return Response(stream_with_context(generate_output()))
app.run()
Here is some documentation on streaming with Flask.