App Engine user authentication

Few months ago, I was searching for a user authentication boilerplate for my project on app engine. I came across this project by Alessandro Bahgat. It has features like user registration, login, logout and it was a great help for me.

My implementation is totally based on it but in course of development of my project I found bugs in it and made few improvements and fixed some loop holes that may lead to unauthenticated login. So this is boilerplate has all the features the original implementation has but with good improvements.

First check out this article which has detailed instructions about has it is implemented. basically it is based on app engine user model which uses ndb for storage and can be used to store user properties. 

Configuring the app

Before running or pushing the code on app engine, you have to do a few configurations. First change the app name to the project id you have registered on app engine.

application: user-authentication-app
version: 1
runtime: python27
api_version: 1
threadsafe: yes

Mine is *user-authentication-app *, change is to your registered id.

Second add the admin mail id which will be used to send verification mail. Change mt email id in config['admin'] to yours in config.

config = {
  'webapp2_extras.auth': {
    'user_model': 'models.User',
    'user_attributes': ['name'],
  'webapp2_extras.sessions': {
    'secret_key': 'YOUR_SECRET_KEY'
  'config' : {
  'admin' : ''

User registration

user can register by going to sign up page or at /signup at sign up application checks whether this user exits and prompts if it does, otherwise it sends mail to email id provided by the user. 

User can't login without verifying the email id and app prompts that your id is not verified.

Forget Password

User can recover account if he/she forgets the password, add sends authentication mail to user id. User can follow the link in the mail to change the password and re-login.

It is handled by ForgetPasswordHandler() class and password change is handled by *VerificationHandler(). *You can change the verification handler to ask for user id at password change if you want to improve security. 

Authenticated user

After authentication, user is redirected to dashboard page. This is handled by *AuthenticatedHandler() *as follows:

class AuthenticatedHandler(BaseHandler):
  def get(self):

@user_required is a decorator which checks if there is a authenticated with the current session. You can include your code in AuthenticatedHandler() to do what you wish after user authentication.

Project details

Project is on github and play around with it. Feel free to ask any questions or if you have any improvement, send a pull request..:-)


* *