At the moment, if you simply navigate to /secrets you can see the secret page and the download link. There are no authentication barriers. How can we make sure that only registered/logged in users can see that page and download the file?
We'll need to secure certain routes in our server and make them only accessible if a user is authenticated.
To do this, most Flask developers will use the Flask_Login package.
HARD CHALLENGE:
Use the Flask_Login documentation to implement the /login route. The /secrets route should be secured so that it requires the user to be logged in.
This is what you're aiming for:
HINT 1: You will need to configure your Flask app to use Flask_Login.
HINT 2: You will need to create a user_loader function.
HINT 3: Make sure you implement the UserMixin in your User class.
Note: A Mixin is simply a way to provide multiple inheritance to Python. This is how you add a Mixin:
class MyClass(MixinClassB, MixinClassA, BaseClass):
HINT 4: You can check the user's password using the check_password_hash function.
HINT 5: You need to find the user by the email they entered in the login form.
HINT 6: If the user has successfully logged in or registered, you need to use the login_user() function to authenticate them.
HINT 7: Both the /secrets and /download route need to be secured so that only authenticated users can access them.