Flask-Login Password Reset

Base logic:

1. Create reset password form with email field.
2. When user submit form then you should:
   1. check this email in database
   2. generate undistinguished crypto random secret key (next just secret key)
   3. store this key, current timestamp and user identifier to cache or database
   4. send it to user email or sms
3. When user apply secret key (for example with url or special form) you should:
   1. validate it (exist, not expired, not used before)
   2. get user identifier
   3. delete or mark as used current secret key
   4. provide logic to enter/generate new password.

Logic to enter/generate password can be different:

1. login user and show form to enter new password - one time login key
2. show form to enter password than login if valid
3. generate new password and send it to user email
4. generate new secret key for form to enter new password and send it to user email
5. generate new secret key to approve form, send it via sms, show form to enter new password and approval secret key then login if valid

flask-login doesn't take care of reset password emails and other such things. Its just there to manage sessions and cookies.

You should use Flask-Security which adds password reset functionality and other common security related features to flask. Flask-Security uses flask-login to handle sessions, but adds other features on top to round out the security features:

Email Confirmation

If desired you can require that new users confirm their email address. Flask-Security will send an email message to any new users with an confirmation link. Upon navigating to the confirmation link, the user will be automatically logged in. There is also view for resending a confirmation link to a given email if the user happens to try to use an expired token or has lost the previous email. Confirmation links can be configured to expire after a specified amount of time.

Password Reset/Recovery

Password reset and recovery is available for when a user forgets his or her password. Flask-Security sends an email to the user with a link to a view which they can reset their password. Once the password is reset they are automatically logged in and can use the new password from then on. Password reset links can be configured to expire after a specified amount of time.

User Registration

Flask-Security comes packaged with a basic user registration view. This view is very simple and new users need only supply an email address and their password. This view can be overrided[sic] if your registration process requires more fields.

Flask-Login only provides user session management for Flask. It handles the common tasks of logging in, logging out, and remembering your users’ sessions over extended periods of time. but not reset password, change password, email confirmation etc.

Flask-security was the best and easy option to do these. It pretty much handles everything. but it is not actively maintained.

Note This project is non maintained anymore. Consider the Flask-Security-Too project as an alternative. -- From flask-security Github repo

So i recommend Flask-Security-Too library which is improved version and actively maintained. It also has much more features like 2FA Auth, Unified Sign-In etc

You can install install it using pip

 pip install flask-security-too flask-sqlalchemy

and import libraries like

from flask-security import current_user, login_required

There are some complete (but simple) examples available in the examples directory of the Flask-Security repo.

Documentation : https://flask-security-too.readthedocs.io/en/stable/index.html