I created a login form with Flask-WTForms:
Code: Alles auswählen
class LoginForm(FlaskForm):
legend = 'Anmelden'
email = StringField(
'E-Mail',
validators=[
DataRequired(message=data_required_message),
Email(message='Keine gültige E-Mail Adresse.'),
validate_login
]
)
password = PasswordField(
'Passwort',
validators=[
DataRequired(message=data_required_message),
validate_login
]
)
remember = BooleanField('Angemeldet bleiben')
submit = SubmitField('Anmelden')
Code: Alles auswählen
def validate_login(form, field):
user = User.query.filter_by(email=form.email.data).first()
if not user:
raise ValidationError('E-Mail Adresse oder Passwort falsch.')
elif not bcrypt.check_password_hash(user.password, form.password.data):
raise ValidationError('E-Mail Adresse oder Passwort falsch.')
Code: Alles auswählen
if form.validate_on_submit():
user = User.query.filter_by(email=form.email.data).first()
if user and bcrypt.check_password_hash(user.password, form.password.data):
login_user(user, remember=form.remember.data)
- 1. calling validate_login for the email field
- 2. calling validate_login for the password field
- 3. actually logging the user in
This seems like bad practise.
I definitely want to show the error message on both email an password fields so the user doesn't know wheter a e-mail exists in the system or not.
Do you have any ideas how this could be improved? Or should I just leave it as it is? It works as intended.