The latest articles on DEV Community by Gaurav Digari (@gaurav_digari). https://dev.to/gaurav_digari https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3996154%2F8a380120-3aba-4197-90da-03b865144e5c.jpeg https://dev.to/gaurav_digari en Gaurav Digari Mon, 22 Jun 2026 05:34:08 +0000 https://dev.to/gaurav_digari/i-got-tired-of-rebuilding-flask-auth-from-scratch-so-i-built-a-proper-starter-kit-2d7a https://dev.to/gaurav_digari/i-got-tired-of-rebuilding-flask-auth-from-scratch-so-i-built-a-proper-starter-kit-2d7a <p>Every Flask project I started followed the same painful pattern.</p> <p>Day 1: excited about the idea.<br> Day 2: still setting up signup and login.<br> Day 3: debugging OTP email delivery.<br> Day 4: building an admin panel to manage users.<br> Day 5: finally writing the first line of the actual idea.</p> <p>Sound familiar?</p> <p>After the third time doing this, I stopped and built it properly once — a production-ready Flask authentication and admin foundation I could drop into any new project.</p> <h2> What I actually built </h2> <p>Not a tutorial-level "here's how Flask-Login works" setup. A real, production-ready codebase with actual security practices:</p> <p><strong>Authentication</strong></p> <ul> <li>Signup and login with secure session handling</li> <li>Email OTP verification — 6-digit code, expires in 10 minutes, resend with cooldown</li> <li>Password complexity enforced both client-side and server-side (not just a frontend hint)</li> <li>Forgot/reset password with single-use, expiring tokens</li> <li>Passwords hashed with bcrypt — never stored plain</li> </ul> <p><strong>Security</strong></p> <ul> <li>Rate limiting on login, OTP requests, and password reset (Flask-Limiter)</li> <li>CSRF protection on every form</li> <li>Security headers (X-Frame-Options, X-Content-Type-Options, Referrer-Policy)</li> <li>Cache-control headers that prevent browsers from showing stale authenticated pages on back/forward navigation</li> <li>Input validation and sanitization on every endpoint</li> <li>No secrets hardcoded anywhere — everything from environment variables</li> </ul> <p><strong>Admin panel</strong></p> <ul> <li>Dashboard with total users, active users, new signups this week</li> <li>Searchable, paginated user table</li> <li>Enable/disable, promote to admin, or delete users</li> <li>Admins land directly on the admin panel after login — no unnecessary redirect through the user dashboard</li> <li>Cascade-safe user deletion (no orphaned OTP records crashing the delete)</li> </ul> <p><strong>Code quality</strong></p> <ul> <li>Flask application factory pattern with Blueprints (auth, admin, main)</li> <li>SQLAlchemy ORM with Flask-Migrate for database migrations</li> <li>Environment-based config (development/production/testing)</li> <li>pytest test suite covering signup, OTP verification, login, wrong password, unverified account blocking</li> <li>Background email sending — SMTP happens on a thread so the page responds instantly instead of waiting</li> </ul> <p><strong>UI</strong></p> <ul> <li>Tailwind CSS via CDN — zero build step required</li> <li>Custom fonts (Outfit + Inter + JetBrains Mono)</li> <li>Responsive split-panel auth layout</li> <li>Show/hide password toggle on every password field</li> <li>Flash messages with close button and 5-second auto-dismiss</li> <li>Custom error pages for 403, 404, 429, 500 — no raw stack traces ever shown</li> </ul> <h2> Things I learned building this </h2> <p><strong>Background threads for email sending matter more than you think.</strong> My first version blocked the request while the SMTP connection happened. A misconfigured hostname would hang the entire request for 30+ seconds with no feedback to the user. Moving email dispatch to a daemon thread made every auth action feel instant.</p> <p><strong>The browser cache is a security issue.</strong> Without explicit Cache-Control: no-store headers, pressing back after logout can show a stale authenticated page directly from browser memory — the server never even gets asked. Most Flask tutorials don't cover this.</p> <p><strong>Cascade deletes need explicit configuration.</strong> SQLAlchemy's default behavior when you delete a User with related OTPCode rows is to try setting user_id = NULL on those rows — which fails immediately if user_id is NOT NULL (as it should be). You need cascade="all, delete-orphan" on the relationship, not just the foreign key.</p> <p><strong>CSP blocks your own inline scripts.</strong> I added a Content-Security-Policy header that blocked the inline Tailwind config script defining my custom color tokens. Every button existed and worked but rendered invisible — white text on white background. Spent longer than I'd like to admit on that one.</p> <h2> The stack </h2> <ul> <li>Python 3.10+, Flask 3.0</li> <li>SQLAlchemy + Flask-Migrate</li> <li>Flask-Login, Flask-WTF, Flask-Mail, Flask-Limiter</li> <li>Tailwind CSS (CDN)</li> <li>SQLite for development, Postgres-ready for production</li> <li>pytest</li> </ul> <h2> Where to get it </h2> <p>If you're building a Flask project and don't want to spend days on auth infrastructure, it's available here:</p> <p>👉 <a href="https://gauav.gumroad.com/l/flask-saas-starter-kit" rel="noopener noreferrer">Flask SaaS Starter Kit on Gumroad</a></p> <p>Comes with a README, a step-by-step SETUP guide written for people who aren't Flask experts yet, and a CUSTOMIZE guide for extending the user model and swapping email providers.</p> <p>Happy to go deep on any of the implementation decisions — the rate limiting strategy, the OTP flow design, session security, the background email threading. Drop a comment.</p> <p><strong>What does your auth setup usually look like for new Flask projects?</strong></p> flask python webdev security