Use config.py to configure the following parameters. By default it will use SQLLITE DB, and bootstrap's default theme:
.. cssclass:: table-bordered table-hover
| Key | Description | Mandatory |
|---|---|---|
| SQLALCHEMY_DATABASE_URI | DB connection string (flask-sqlalchemy) | Cond. |
| SECRET_KEY | Flask secret key used for securely signing the session cookie Set the secret_key on the application to something unique and secret. | Yes |
| MONGODB_SETTINGS | DB connection string (flask-mongoengine) | Cond. |
|
|
Yes |
| AUTH_USER_REGISTRATION = True|False | Set to True to enable user self registration | No |
| AUTH_USERNAME_CI = True|False | Make auth login CI of not defaults to true | No |
| AUTH_USER_REGISTRATION_ROLE | Set role name, to be assign when a user registers himself. This role must already exist. Mandatory when using user registration | Cond. |
| AUTH_USER_REGISTRATION_ROLE_JMESPATH | The JMESPath
expression used to evaluate user role on
registration. If set, takes precedence
over AUTH_USER_REGISTRATION_ROLE.
Requires jmespath to be installed.
See :ref:`jmespath-examples` for examples |
No |
| AUTH_REMOTE_USER_ENV_VAR | When using AUTH_TYPE = AUTH_REMOTE_USER Optionally set the wsgi environment var that holds the current logged in user Default: REMOTE_USER | No |
| AUTH_ROLES_SYNC_AT_LOGIN | Sets if user's roles are replaced each login with those received from LDAP/OAUTH Default: False | No |
| AUTH_ROLES_MAPPING | A mapping from LDAP/OAUTH group names to FAB roles See example under AUTH_LDAP_GROUP_FIELD |
No |
| AUTH_LDAP_SERVER | define your ldap server when AUTH_TYPE=2 example: AUTH_TYPE = 2 AUTH_LDAP_SERVER = "ldap://ldapserver.new" For using LDAP over TLS, set the protocol scheme to "ldaps" and set "AUTH_LDAP_USE_TLS = False" |
Cond. |
| AUTH_LDAP_USE_TLS | Require the use of STARTTLS | |
| AUTH_LDAP_BIND_USER | Define the DN for the user that will be used for the initial LDAP BIND. This is necessary for OpenLDAP and can be used on MSFT AD. AUTH_LDAP_BIND_USER = "cn=queryuser,dc=example,dc=com" |
No |
| AUTH_LDAP_BIND_PASSWORD | Define password for the bind user. | No |
| AUTH_LDAP_TLS_DEMAND | Demands TLS peer certificate checking (Bool) | No |
| AUTH_LDAP_TLS_CACERTDIR | CA Certificate directory to check peer certificate. Certificate files must be PEM-encoded | No |
| AUTH_LDAP_TLS_CACERTFILE | CA Certificate file to check peer certificate. File must be PEM-encoded | No |
| AUTH_LDAP_TLS_CERTFILE | Certificate file for client auth use with AUTH_LDAP_TLS_KEYFILE | No |
| AUTH_LDAP_TLS_KEYFILE | Certificate key file for client aut | No |
| AUTH_LDAP_SEARCH | Use search with self user registration or when using AUTH_LDAP_BIND_USER. AUTH_LDAP_SERVER = "ldap://ldapserver.new" AUTH_LDAP_SEARCH = "ou=people,dc=example" |
No |
| AUTH_LDAP_SEARCH_FILTER | Filter or limit allowable users from the LDAP server, e.g., only the people on your team. AUTH_LDAP_SEARCH_FILTER = "(memberOf=cn=group name,OU=type,dc=ex ,cn=com)" |
No |
| AUTH_LDAP_UID_FIELD | if doing an indirect bind to ldap, this is the field that matches the username when searching for the account to bind to. example: AUTH_TYPE = 2 AUTH_LDAP_SERVER = "ldap://ldapserver.new" AUTH_LDAP_SEARCH = "ou=people,dc=example" AUTH_LDAP_UID_FIELD = "uid" |
No |
| AUTH_LDAP_GROUP_FIELD | sets the field in the ldap directory that stores the user's group uids. This field is used in combination with AUTH_ROLES_MAPPING to propagate the users groups into the User database. Default is "memberOf". example: AUTH_TYPE = 2 AUTH_LDAP_SERVER = "ldap://ldapserver.new" AUTH_LDAP_SEARCH = "ou=people,dc=example" AUTH_LDAP_GROUP_FIELD = "memberOf"
} |
No |
| AUTH_LDAP_FIRSTNAME_FIELD | sets the field in the ldap directory that stores the user's first name. This field is used to propagate user's first name into the User database. Default is "givenName". example: AUTH_TYPE = 2 AUTH_LDAP_SERVER = "ldap://ldapserver.new" AUTH_LDAP_SEARCH = "ou=people,dc=example" AUTH_LDAP_FIRSTNAME_FIELD = "givenName" |
No |
| AUTH_LDAP_LASTNAME_FIELD | sets the field in the ldap directory that stores the user's last name. This field is used to propagate user's last name into the User database. Default is "sn". example: AUTH_TYPE = 2 AUTH_LDAP_SERVER = "ldap://ldapserver.new" AUTH_LDAP_SEARCH = "ou=people,dc=example" AUTH_LDAP_LASTNAME_FIELD = "sn" |
No |
| AUTH_LDAP_EMAIL_FIELD | sets the field in the ldap directory that stores the user's email address. This field is used to propagate user's email address into the User database. Default is "mail". example: AUTH_TYPE = 2 AUTH_LDAP_SERVER = "ldap://ldapserver.new" AUTH_LDAP_SEARCH = "ou=people,dc=example" AUTH_LDAP_EMAIL_FIELD = "mail" |
No |
| AUTH_LDAP_ALLOW_SELF_SIGNED | Allow LDAP authentication to use self signed certificates (LDAPS) | No |
| AUTH_LDAP_APPEND_DOMAIN | Append a domain to all logins. No need to use john@domain.local. Set it like: AUTH_LDAP_APPEND_DOMAIN = 'domain.local' And the user can login using just 'john' |
No |
| AUTH_LDAP_USERNAME_FORMAT | It converts username to specific format for LDAP authentications. For example, username = "userexample" AUTH_LDAP_USERNAME_FORMAT="format-%s". It authenticates with "format-userexample". |
No |
| AUTH_ROLE_ADMIN | Configure the name of the admin role. | No |
| AUTH_ROLE_PUBLIC | Special Role that holds the public permissions, no authentication needed. | No |
| AUTH_API_LOGIN_ALLOW_MULTIPLE_PROVIDERS True|False | Allow REST API login with alternative auth providers (default False) | No |
| APP_NAME | The name of your application. | No |
| APP_THEME | Various themes for you to choose from (bootwatch). | No |
| APP_ICON | path of your application icons will be shown on the left side of the menu | No |
| ADDON_MANAGERS | A list of addon manager's classes Take a look at addon chapter on docs. | No |
| UPLOAD_FOLDER | Files upload folder. Mandatory for file uploads. | No |
| FILE_ALLOWED_EXTENSIONS | Tuple with allower extensions. FILE_ALLOWED_EXTENSIONS = ('txt','doc') | No |
| IMG_UPLOAD_FOLDER | Image upload folder. Mandatory for image uploads. | No |
| IMG_UPLOAD_URL | Image relative URL. Mandatory for image uploads. | No |
| IMG_SIZE | tuple to define default image resize. (width, height, True|False). | No |
| BABEL_DEFAULT_LOCALE | Babel's default language. | No |
| LANGUAGES | A dictionary mapping the existing languages with the countries name and flag | No |
| LOGOUT_REDIRECT_URL | The location to redirect to after logout | No |
| FAB_API_SHOW_STACKTRACE | Sends api stack trace on uncaught exceptions. (Boolean) | No |
| FAB_API_MAX_PAGE_SIZE | Sets a limit for FAB Model Api page size | No |
| FAB_API_SWAGGER_UI | Enables a Swagger UI view (Boolean) | No |
| FAB_API_SWAGGER_TEMPLATE | Path of your custom Swagger Template | No |
| FAB_API_ALLOW_JSON_QS | Allow query string parameters to be JSON Default is True (Boolean) | No |
| FAB_UPDATE_PERMS | Enables or disables update permissions Default is True (Boolean) | No |
| FAB_SECURITY_MANAGER_CLASS | Declare a new custom SecurityManager class | No |
| FAB_ADD_SECURITY_API | [Beta] Adds a CRUD REST API for users, roles, permissions, view_menus. Further details on /swagger/v1 All endpoints are under /api/v1/sercurity/ [Note]: This feature is still in beta breaking changes are likely to occur | No |
| FAB_ADD_SECURITY_VIEWS | Enables or disables registering all security views (boolean default:True) | No |
| FAB_ADD_SECURITY_PERMISSION_VIEW | Enables or disables registering the permission view (boolean default:True) | No |
| FAB_ADD_SECURITY_VIEW_MENU_VIEW | Enables or disables registering the view_menu view (boolean default:True) | No |
| FAB_ADD_SECURITY_PERMISSION_VIEWS_VIEW | Enables or disables registering the pmv views (boolean default:True) | No |
| FAB_ADD_OPENAPI_VIEWS | Enables or disables registering all OPENAPI views (boolean default:True) | No |
| FAB_OPENAPI_SERVERS | Used for setting OpenApi Swagger UI servers if not set Swagger will use the current request host URL | No |
| FAB_ROLES | Configure builtin roles see Security chapter for further detail | No |
| FAB_INDEX_VIEW | Path of your custom IndexView class (str) | No |
| FAB_MENU | Path of your custom Menu class (str) | No |
| FAB_BASE_TEMPLATE | Path of your custom base template | No |
| FAB_STATIC_FOLDER | Path to override default static folder | No |
| FAB_STATIC_URL_PATH | Path to override default static folder | No |
| FAB_PASSWORD_COMPLEXITY_VALIDATOR | Hook for your own custom password validator function. | No |
| FAB_PASSWORD_COMPLEXITY_ENABLED | Enables the password complexity validation for AUTH database users. Default is False. | No |
| FAB_PASSWORD_HASH_METHOD | Sets the password hashing method. For the
supported parameters see
generate_password_hash.
Default: 'scrypt'. |
No |
| FAB_SAFE_REDIRECT_HOSTS | A List[str] with allowed domains to check when validating safe redirect | No |
| FAB_PASSWORD_HASH_SALT_LENGTH | Sets the password hashing salt length.
Default: 16. |
No |
Make sure you set your own SECRET_KEY to something unique and secret. This secret key is used by Flask for securely signing the session cookie and can be used for any other security related needs by extensions or your application. It should be a long random bytes or str. For example, copy the output of this to your config:
$ python -c 'import secrets; print(secrets.token_hex())' '192b9bdd22ab9ed4d12e236c78afcb9a393ec15f71bbf5dc987d54727823bcbf'
My favorite way, and the one I advise if you are building a medium to large size application is to place all your configuration keys on a config.py file
Next you only have to import them to the Flask app object, like this
app = Flask(__name__)
app.config.from_object('config')
Take a look at the skeleton config.py
If user self registration is enabled and AUTH_USER_REGISTRATION_ROLE_JMESPATH is set, it is
used as a JMESPath expression to evalate user registration role. The input
values is userinfo dict, returned by get_oauth_user_info function of Security Manager.
Usage of JMESPath expressions requires jmespath package
to be installed.
In case of Google OAuth, userinfo contains user's email that can be used to map some users as admins
and rest of the domain users as read only users. For example, this expression:
contains(['user1@domain.com', 'user2@domain.com'], email) && 'Admin' || 'Viewer'
causes users 1 and 2 to be registered with role Admin and rest with the role Viewer.
JMESPath expression allow more groups to be evaluated:
email == 'user1@domain.com' && 'Admin' || (email == 'user2@domain.com' && 'Op' || 'Viewer')
For more example, see specification.