Extensions Reference

Flask extension instances and supporting utilities.

This file is used to initialize extensions to the application. It exists to solve the problem of circular dependencies when importing certain modules (e.g. socketio, database) directly from the app. Each extension is bound to the real application later by the app.create_app() factory via the standard ext.init_app(app) pattern.

Note

Never import from app directly in this module. Doing so re-introduces the circular dependency this module exists to break.

Example

Importing extensions elsewhere in the package:

from app.extensions import db, limiter, socketio
extensions.bcrypt = <flask_bcrypt.Bcrypt object>

Flask-Bcrypt wrapper for password hashing and verification.

All password hashes stored in the database should be produced and checked through this instance to ensure a consistent work factor across the application.

extensions.csrf = <flask_wtf.csrf.CSRFProtect object>

Global CSRF protection applied to every state-changing request.

Tokens are validated automatically for all POST/PUT/PATCH/ DELETE form submissions. Individual views or blueprints can opt out with exempt().

extensions.db = <SQLAlchemy>

Shared SQLAlchemy database instance.

Bound to the application by app.create_app(). Import this object wherever ORM models or raw queries are needed instead of creating a second SQLAlchemy instance.

extensions.get_ip()

Extract the real client IP address from a potentially proxied request.

Render forwards requests through a load balancer that appends the original client IP to the X-Forwarded-For header as the leftmost value.

Returns:

The leftmost IP address in X-Forwarded-For if the header is present, otherwise flask.Request.remote_addr.

Return type:

str

Example

X-Forwarded-For: 203.0.113.5, 10.0.0.1"203.0.113.5"

extensions.limiter = <flask_limiter._extension.Limiter object>

Flask-Limiter instance with a per-user-or-IP moving-window strategy.

The moving-window strategy counts every request inside a rolling time window (configured via RATELIMIT_STORAGE_URI and default limit strings in Config), giving a smoother enforcement curve than a fixed window. The bucket key is determined by user_or_ip_key().

extensions.login = <flask_login.login_manager.LoginManager object>

Flask-Login manager that handles session-based authentication.

login.login_view is set to 'auth.login' so that login_required() redirects unauthenticated users to the correct blueprint endpoint automatically.

extensions.mail = <flask_mail.Mail object>

Flask-Mail instance for sending transactional email.

Connection settings (server, port, TLS, credentials) are driven by the MAIL_* keys in Config.

extensions.migrate = <flask_migrate.Migrate object>

Alembic-backed migration engine.

Manages schema migrations via flask db CLI commands. Must be initialised after db inside the application factory.

extensions.moment = <flask_moment.Moment object>

Flask-Moment integration for client-side timestamp formatting.

Injects the Moment.js library and a helper into Jinja2 templates, enabling timezone-aware rendering.

extensions.socketio = <flask_socketio.SocketIO object>

Flask-SocketIO instance for WebSocket and long-polling support.

The application is started via run() rather than app.run so that the gevent WSGI server handles async I/O correctly. See signbridge.py for the entry point.

extensions.user_or_ip_key()

Return a rate-limit bucket key scoped to the current user or IP.

Authenticated users are bucketed by their database ID so that a single account cannot circumvent per-IP limits by rotating IP addresses (e.g. via a VPN). Unauthenticated requests fall back to the real client IP resolved by get_ip().

Returns:

"user:<id>" for authenticated sessions, or "ip:<address>" for anonymous requests.

Return type:

str

This page provides an overview of the extensions used in SignBridge, including their purpose.

Flask-SQLAlchemy

  • SQLAlchemy lets you define database tables as Pyhton classes instead of writing raw SQL.

  • All models are defined in models.py.

Flask-migrate

  • Handle database schema changes safely using using Alembic.

  • Wihtout it, every time you add a column or table you’d have to drop and recreate the database, which means you lose all the data.

Flask-login

  • Manages user sessions.

  • Tracking who is logged in, protecting routes with @login_required.

  • Handles the login/logout flow.

Flask-login

  • Adds CSRF protection to all forms.

  • Form classes are defined in each blueprint’s forms.py

Flask-mail

  • Handles sending emails through the app

  • Mainly used for reset password links.

Flask-moment

  • Moment converts UTC timestamps stored in the database to the user’s local timezone in the browser.

FLask-limiter

  • Limiter prevents brute force attacks by limiting the number of requests a user or IP can make in a time window.

  • Applied to authentication and API routes.

FLask-SocketIO

  • Used as a signalling server for WebRTC connection establishment.

  • Also handles real-time chat messaging between users in a call room.

Flask-bcrypt

  • Designed specifically for password hashing.

  • Used when registering and authenticating users.

Flask-httpauth

  • Token-based authentication for protecting REST API endpoints.