Skip to main content

Overview

Authentication routes handle user login, registration, and logout operations. All routes include rate limiting for security.

Login

/login
GET | POST
Handle user login process
Route Decorator: 
@bp.route("/login", methods=["GET", "POST"])
@limiter.limit("5 per minute;20 per hour", methods=["POST"])
Authentication: None required Parameters:
email
string
required
User’s email address
password
string
required
User’s password
remember_me
boolean
Whether to remember the user’s session
Returns:
  • On success: Redirects to main.home
  • On failure: Redirects back to login with error message
  • For authenticated users: Redirects to main.home
Rate Limits:
  • POST requests: 5 per minute, 20 per hour per IP

Register

/register
GET | POST
Handle user registration process
Route Decorator: 
@bp.route("/register", methods=["GET", "POST"])
@limiter.limit("3 per minute;10 per hour", methods=["POST"])
Authentication: None required Parameters:
first_name
string
required
User’s first name (no whitespace allowed)
last_name
string
required
User’s last name (no whitespace allowed)
email
string
required
User’s email address (must be unique, no whitespace)
password
string
required
User’s password (will be hashed)
year
string
required
School year (7, 8, 9, 10, 11, 12, or 13)
maths_class
string
required
User’s maths class
Validation:
  • Names and email are checked for profanity
  • Email must be unique in the database
  • Whitespace is not allowed in names or email
  • Year is mapped to key stage automatically:
    • Years 7-8: KS3
    • Years 9-11: KS4
    • Years 12-13: KS5
Returns:
  • On success: Redirects to auth.login with success message
  • On failure: Redirects back to register with error message
Rate Limits:
  • POST requests: 3 per minute, 10 per hour per IP

Admin Registration

/register_admin
GET | POST
Handle admin user registration (disabled in production)
Route Decorator: 
@bp.route("/register_admin", methods=["GET", "POST"])
@limiter.limit("2 per minute;5 per hour", methods=["POST"])
Availability: Only available in non-production environments Authentication: None required Parameters: Same as regular registration Additional Behavior:
  • Sets is_admin=True on created user
  • In production: Redirects to main.home with warning message
Rate Limits:
  • POST requests: 2 per minute, 5 per hour per IP

Autumn Competition Registration

/autumn_register
GET | POST
Handle user registration for autumn competition
Route Decorator: 
@bp.route("/autumn_register", methods=["GET", "POST"])
@limiter.limit("3 per minute;10 per hour", methods=["POST"])
Authentication: None required Parameters:
first_name
string
required
User’s first name
last_name
string
required
User’s last name
email
string
required
User’s email address (must be unique)
password
string
required
User’s password
year
string
required
School year (7-13)
school_id
integer
required
ID of the user’s school (from School model)
Additional Behavior:
  • Sets is_competition_participant=True
  • Assigns user to selected school
  • School choices populated from database
Returns:
  • On success: Redirects to auth.summer_login
  • On failure: Redirects back with error message

Autumn Competition Login

/autumn_login
GET | POST
Handle login for autumn competition participants
Route Decorator: 
@bp.route("/autumn_login", methods=["GET", "POST"])
@limiter.limit("5 per minute;20 per hour", methods=["POST"])
Authentication: None required Parameters:
email
string
required
User’s email address
password
string
required
User’s password
school_id
integer
required
User’s school ID (displayed in dropdown)
remember_me
boolean
Whether to remember the session
Returns:
  • On success: Redirects to main.home
  • On failure: Redirects to auth.login with error

Logout

/logout
GET
Handle user logout process
Route Decorator: 
@bp.route("/logout")
Authentication: None required (will logout current user if authenticated) Parameters: None Returns:
  • Always redirects to main.home
  • Terminates current user session via logout_user()

Security Features

All authentication routes implement:
  1. Password Hashing: Passwords are hashed before database storage
  2. Profanity Filtering: User names and emails checked using Better Profanity
  3. Rate Limiting: Per-IP limits on all POST endpoints
  4. Duplicate Prevention: Email uniqueness enforced
  5. Whitespace Validation: Names and emails must not contain spaces
  6. Admin Protection: Admin registration disabled in production

Build docs developers (and LLMs) love

Get started for freeTalk to us