Adding Database Backed User Authentication to FastAPI
&& [ code, python, tutorial ] && 1 comments
In this tutorial we will learn how to add database backed user authentication to our FastAPI application. Later is the series we will implement registration, password recovery, and more.
So you’re excited about FastAPI and you’ve been following the excellent documentation. At some point, you’ll come to the section on security which sets you up with a login view, some utilities for hashing passwords and a dependency injected current user object.
It works great! The only problem is now you are left with a working application, but your user database consists of a hardcoded dictionary. Obviously, this will not do for a real application.
In this tutorial, we will replace our fake users database dictionary with a real database backed user table. In the next part, we’ll add a registration endpoint so that people can sign up for accounts and login to your application.
Starting where you left off
If you haven’t already, go through the FastAPI documentation on security. We are going to pick up where it leaves off and you should be familiar with the concepts and code presented.
We should have an app.py that looks like this:
from datetime import datetime, timedelta
from typing import Optional
from fastapi import Depends, FastAPI, HTTPException, status
from fastapi.security import OAuth2PasswordBearer, OAuth2PasswordRequestForm
from jose import JWTError, jwt
from passlib.context import CryptContext
from pydantic import BaseModel
# to get a string like this run:
# openssl rand -hex 32
SECRET_KEY = "09d25e094faa6ca2556c818166b7a9563b93f7099f6f0f4caa6cf63b88e8d3e7"
ALGORITHM = "HS256"
ACCESS_TOKEN_EXPIRE_MINUTES = 30
fake_users_db = {
"johndoe": {
"username": "johndoe",
"full_name": "John Doe",
"email": "johndoe@example.com",
"hashed_password": "$2b$12$dQD2AD2Y.Aa8F3IliHPfk.yNESW7FZe3RmeT38K661sg/vds404ga", # swordfish
"disabled": False,
}
}
class Token(BaseModel):
access_token: str
token_type: str
class TokenData(BaseModel):
username: Optional[str] = None
class User(BaseModel):
username: str
email: Optional[str] = None
full_name: Optional[str] = None
disabled: Optional[bool] = None
class UserInDB(User):
hashed_password: str
pwd_context = CryptContext(schemes=["bcrypt"], deprecated="auto")
oauth2_scheme = OAuth2PasswordBearer(tokenUrl="token")
app = FastAPI()
def verify_password(plain_password, hashed_password):
return pwd_context.verify(plain_password, hashed_password)
def get_password_hash(password):
return pwd_context.hash(password)
def get_user(db, username: str):
if username in db:
user_dict = db[username]
return UserInDB(**user_dict)
def authenticate_user(fake_db, username: str, password: str):
user = get_user(fake_db, username)
if not user:
return False
if not verify_password(password, user.hashed_password):
return False
return user
def create_access_token(data: dict, expires_delta: Optional[timedelta] = None):
to_encode = data.copy()
if expires_delta:
expire = datetime.utcnow() + expires_delta
else:
expire = datetime.utcnow() + timedelta(minutes=15)
to_encode.update({"exp": expire})
encoded_jwt = jwt.encode(to_encode, SECRET_KEY, algorithm=ALGORITHM)
return encoded_jwt
async def get_current_user(token: str = Depends(oauth2_scheme)):
credentials_exception = HTTPException(
status_code=status.HTTP_401_UNAUTHORIZED,
detail="Could not validate credentials",
headers={"WWW-Authenticate": "Bearer"},
)
try:
payload = jwt.decode(token, SECRET_KEY, algorithms=[ALGORITHM])
username: str = payload.get("sub")
if username is None:
raise credentials_exception
token_data = TokenData(username=username)
except JWTError:
raise credentials_exception
user = get_user(fake_users_db, username=token_data.username)
if user is None:
raise credentials_exception
return user
async def get_current_active_user(current_user: User = Depends(get_current_user)):
if current_user.disabled:
raise HTTPException(status_code=400, detail="Inactive user")
return current_user
@app.post("/token", response_model=Token)
async def login_for_access_token(form_data: OAuth2PasswordRequestForm = Depends()):
user = authenticate_user(fake_users_db, form_data.username, form_data.password)
if not user:
raise HTTPException(
status_code=status.HTTP_401_UNAUTHORIZED,
detail="Incorrect username or password",
headers={"WWW-Authenticate": "Bearer"},
)
access_token_expires = timedelta(minutes=ACCESS_TOKEN_EXPIRE_MINUTES)
access_token = create_access_token(
data={"sub": user.username}, expires_delta=access_token_expires
)
return {"access_token": access_token, "token_type": "bearer"}
@app.get("/users/me/", response_model=User)
async def read_users_me(current_user: User = Depends(get_current_active_user)):
return current_user
In case it’s been a while or you are starting from scratch, the minimum packages required to run this demo are:
pip install fastapi uvicorn passlib python-jose python-multipart bcrypt
And you can start the application with:
uvicorn app:app --reload
Now head over to the shiny auto-generated swagger docs at http://127.0.0.1:8000/docs and try it out. You should be able to click the “Authorize” button and login with the username and password:
username: johndoe \ password: swordfish
Just as you would expect from our fake_users_db.
Our goal now is to preserve this functionality while replacing fake_users_db with a real database.
Creating Gold with SqlAlchemy
For this example we are going to use SqlAlchemy ORM to interact with our database. There are a few ORMs out there, but SqlAlchemy is one of the more popular ones and just recently began supporting asynchronous io, so it’s perfect for use with FastApi. Install it:
pip install install sqlalchemy --pre
note: you can drop –pre if 1.4 is out of beta, which it might be by the time you read this.
To avoid adding to our already cluttered main.py file, we’re going to create a new module, database.py and set up SqlAlchemy there:
# database.py
from sqlalchemy.ext.asyncio import create_async_engine
from sqlalchemy.orm import declarative_base
from sqlalchemy.ext.asyncio import AsyncSession
SQLALCHEMY_DATABASE_URL = "sqlite:///./sqlite3.db"
engine = create_async_engine(
SQLALCHEMY_DATABASE_URL, connect_args={"check_same_thread": False}
)
Base = declarative_base()
async def get_db():
session = AsyncSession(engine)
try:
yield session
finally:
await session.close()
The first few statements define an engine (connection) to the database, as well as declaring an ORM model base for us to use (next step).
We also define a method to get a database session. This will be used in conjunction with FastAPI’s dependency injection system in order to provide access to the database where and when it is need.
We will also declare our User model, which will represent a user in the database:
from sqlalchemy.ext.asyncio import create_async_engine
from sqlalchemy.orm import declarative_base
from sqlalchemy import Boolean, Column, Integer, String
from sqlalchemy.ext.asyncio import AsyncSession
SQLALCHEMY_DATABASE_URL = "sqlite:///./sqlite3.db"
engine = create_async_engine(
SQLALCHEMY_DATABASE_URL, connect_args={"check_same_thread": False}
)
Base = declarative_base()
async def get_db():
session = AsyncSession(engine)
try:
yield session
finally:
await session.close()
class User(Base):
__tablename__ = 'users'
id = Column(Integer, primary_key=True, index=True)
username = Column(String, unique=True, index=True)
email = Column(String, unique=True, index=True)
full_name = Column(String, index=True)
disabled = Column(Boolean, default=False)
hashed_password = Column(String)
This is a typical Sqlalchemy declarative model. We’ve kept the structure the same as the users in our fake_users_db so that the changes in the rest of the application can remain minimal.
Speaking of changes in the main application, let’s get to the meat and potatoes. We will modify app.py with the following:
from datetime import datetime, timedelta
from typing import Optional
from fastapi import Depends, FastAPI, HTTPException, status
from fastapi.security import OAuth2PasswordBearer, OAuth2PasswordRequestForm
from jose import JWTError, jwt
from passlib.context import CryptContext
from pydantic import BaseModel
from sqlalchemy.ext.asyncio import AsyncSession
from sqlalchemy import select
import database
# to get a string like this run:
# openssl rand -hex 32
SECRET_KEY = "09d25e094faa6ca2556c818166b7a9563b93f7099f6f0f4caa6cf63b88e8d3e7"
ALGORITHM = "HS256"
ACCESS_TOKEN_EXPIRE_MINUTES = 30
class Token(BaseModel):
access_token: str
token_type: str
class TokenData(BaseModel):
username: Optional[str] = None
class User(BaseModel):
id: int
username: str
email: str
full_name: str
disabled: bool
class Config:
orm_mode = True
pwd_context = CryptContext(schemes=["bcrypt"], deprecated="auto")
oauth2_scheme = OAuth2PasswordBearer(tokenUrl="token")
app = FastAPI()
@app.on_event("startup")
async def start_db():
async with database.engine.begin() as conn:
await conn.run_sync(database.Base.metadata.create_all)
def verify_password(plain_password, hashed_password):
return pwd_context.verify(plain_password, hashed_password)
def get_password_hash(password):
return pwd_context.hash(password)
async def get_user(db: AsyncSession, username: str) -> database.User:
result = await db.execute(select(database.User).filter_by(username=username))
return result.scalars().first()
async def authenticate_user(db: AsyncSession, username: str, password: str) -> database.User:
user = await get_user(db, username)
if not user:
return False
if not verify_password(password, user.hashed_password):
return False
return user
def create_access_token(data: dict, expires_delta: Optional[timedelta] = None):
to_encode = data.copy()
if expires_delta:
expire = datetime.utcnow() + expires_delta
else:
expire = datetime.utcnow() + timedelta(minutes=15)
to_encode.update({"exp": expire})
encoded_jwt = jwt.encode(to_encode, SECRET_KEY, algorithm=ALGORITHM)
return encoded_jwt
async def get_current_user(db: AsyncSession = Depends(database.get_db), token: str = Depends(oauth2_scheme)) -> database.User:
credentials_exception = HTTPException(
status_code=status.HTTP_401_UNAUTHORIZED,
detail="Could not validate credentials",
headers={"WWW-Authenticate": "Bearer"},
)
try:
payload = jwt.decode(token, SECRET_KEY, algorithms=[ALGORITHM])
username: str = payload.get("sub")
if username is None:
raise credentials_exception
token_data = TokenData(username=username)
except JWTError:
raise credentials_exception
user = await get_user(db, username=token_data.username)
if user is None:
raise credentials_exception
return user
async def get_current_active_user(current_user: User = Depends(get_current_user)) -> database.User:
if current_user.disabled:
raise HTTPException(status_code=400, detail="Inactive user")
return current_user
@app.post("/token", response_model=Token)
async def login_for_access_token(db: AsyncSession = Depends(database.get_db), form_data: OAuth2PasswordRequestForm = Depends()):
user = await authenticate_user(db, form_data.username, form_data.password)
if not user:
raise HTTPException(
status_code=status.HTTP_401_UNAUTHORIZED,
detail="Incorrect username or password",
headers={"WWW-Authenticate": "Bearer"},
)
access_token_expires = timedelta(minutes=ACCESS_TOKEN_EXPIRE_MINUTES)
access_token = create_access_token(
data={"sub": user.username}, expires_delta=access_token_expires
)
return {"access_token": access_token, "token_type": "bearer"}
@app.get("/users/me/", response_model=User)
async def read_users_me(current_user: User = Depends(get_current_active_user)):
return current_user
In the first changed block, we import a few things from Sqlalchemy that we will need, as well as import the database module we just defined.
We also modify the User Pydantic model. We want it to mirror the database representation so that it can correctly serialize data. Also notice the orm_mode = True line, that allows ORM objects (from sqlalchemy) to be passed in to Pydantic models (as we’ve defined here) and be correctly read and serialized.
At some point the database tables need to actually be created. A perfect time to do that would be when the app first starts up. So we use FastAPI’s startup lifecycle hook to tell Sqlalchemy to create the tables we defined with the declarative base.
The rest of the changes are to get_user(db: AsyncSession, username: str) and simple modifications to the other methods that rely on it. Instead of doing a dictionary access in fake_users_db we do an actual query on our database to look up a user by their username.
Because get_user requires a database connection, we perform a dependency injection in get_current_user as well as login_for_access_token. This ensures the database session is available everywhere that we need it.
Try it out
We now have a working application that functions pretty much the same as before, but will look up users in a Sqlite3 database instead of a dictionary. So how do we test it out? By inserting a user into the database of course!
First, make sure you are running your application. That will ensure the tables have been created (thanks to the start_db method we defined earlier).
$ uvicorn app:app --reload
Next, let’s add a user record to the generated users table.
From your command line, execute the following command:
$ sqlite3 sqlite3.db
This will open up a sqlite3 shell. From here, we can use SQL to add a record to the users table:
INSERT INTO users VALUES (1, 'johndoe', 'johndoe@example.com', 'John Doe', false, '$2b$12$dQD2AD2Y.Aa8F3IliHPfk.yNESW7FZe3RmeT38K661sg/vds404ga');
Notice the big long string at the end: it’s the same hashed password (“swordfish”) that we hardcoded into fake_users_db before!
Once you’ve created the record, you should be able to go back to the generated docs and login as you did before. Now try out the /users/me endpoint, it will return the data we inserted into the database!
Next steps
Manually adding users to your database is rarely what you want to do. In the next post in the series, we’ll implement a registration view so that users can use your API to request accounts.
Building an Instagram Clone in 50 Minutes with Django
&& [ code, tutorials ] && 0 comments
Recently I did a live tutorial with CodingNomads on how to build an image sharing website (like Instagram) in Django. The demo is meant to show how quickly you can leverage Django to build and prototype web applications. You can view it on YouTube.
California Smoke
&& [ other ] && 0 comments
Posting these here so I can look back in the future to remember when the forest fires started getting really bad.
The view at about 3:30 PM PST from the viewpoint near the Hwy 92/Skyline Blvd intersection.
A view of Nasa’s Worldview of the day
A video I took while driving on Highway 280, at 3:00 PM PST near Stanford, which was a dangerous thing to do and I do feel bad about it.
The Underrated California Towhee
&& [ birds ] && 4 comments
Could the simple California Towhee be one of the most underrated birds in North America?
First, let’s go over what makes this bird remarkably unremarkable to most people:
- It’s drab, brown color even on males.
- It’s conservation status is LC (Least Concern, they are doing fine).
- Super common.
- Boring call and song.
So by all outward appearances the California is a dull backyard bird that’s unlikely to warrant a second glance.
However, I have observed that the California Towhee has some unusual behavior that I have not seen in any other bird.
In my house we often leave a glass porch door open to let in some fresh air. Occasionally a bird will fly into our loft which inevitably causes them to do bird things like panic and fly in circles and into windows and such (by the way if this ever happens to you, the best way to remove a bird from your house is to throw a light towel or garment over them then bring them back outside). We have a lot of windows - our loft is a bit of a bird trap.
However, unlike Finches, Hummingbirds, etc I have never had to rescue a Towhee from the house. They are always able to find their way back out the door, and never fly into windows.
Not only do they not panic, but the Towhees often enter the house on purpose, while us humans stand by watching. They are exploratory creatures.
My wife and I once observed a particularly adventurous Towhee casually hop through the glass door to our loft, make it’s way down the stairs on the opposite side of the room (which are pretty complicated, floating stairs with a complete 180 degree turn), hang out in the kitchen a bit, then hop through another door into our bedroom. Once it was presumably satisfied that our house checked out, the bird simply retraced it’s steps out of the bedroom, up the stairs and out the porch door.
Another time I opened my eyes after a mid-day nap on our couch to see a Towhee on the window sill above my head, looking down at me, seemingly studying me. Once I moved it let out a little “chip” and simply flew out the open door.
To me, this shows that this bird has a particularly good sense of spatial awareness, which I can’t help but interpret as intelligence, especially when compared to other birds.
I’ve scoured the internet but I cannot find any confirmation or even mention of this strange behavior in Towhees. It does not seem like they are studied very often. Their Wikipedia page is particularly weak for such a common bird. Neither Audubon or Cornell seems to have much more than the usual ID type information.
I suspect this behavior might be a trait derived from them being a ground dwelling, foraging species. Perhaps being adept at navigating shrubs and underbrush translates well into navigating through… man made structures? Grasping at straws here, I am no ornithologist.
I would love to hear from anyone that might be able to provide any information about this fascinating bird!
Isla Vista in the Time of Covid
&& [ other ] && 0 comments
Here it comes again. One of my favorite questions.
“Wait, you live in Isla Vista?”
“Yes.”
“The college town by UCSB? You want to live there?”
“Yup.”
Most people’s idea of Isla Vista is either formed by having lived their in the college years, having known someone who lived there in the college years, or news stories about people in their college years who live there.
What is usually missed in all the stories about raucous parties and couch burnings is the fact that Isla Vista is located in one of the most naturally beautiful locations in all of California.
IV is a coastal town about 15 miles west of Santa Barbara. To the north is the rugged and expansive Los Padres National Forest. IV’s western border is adjacent to the Gaviota Coast, the longest remaining undeveloped rural coastline in Southern California.
You wouldn’t know it by looking at pictures of Deltopia or Halloween, but Isla Vista itself is rich in natural areas and parks. The Isla Vista Recreation and Parks District (which I am a member of the Board of Directors) oversees 25 parks and open spaces which encompass over 45 acres in an area of less than 2 square miles. And that doesn’t count the miles of coastline, county and state open naturalized open space, and the university’s natural preserve. All within walking distance for any resident.
That’s not to say Isla Vista is a total paradise. There are issues of density, lack of affordable housing, and a quickly eroding coastline. IV’s problems are to a large extent coastal California’s problems.
And then there is the student population. Are they loud and occasionally annoying? Yes. Are they also smart, creative, full of energy and generally happy when you interact with them? Absolutely. Given the choice, I’d take college kids as neighbors over aging NIMBY boomers 10 out of 10 times.
All of that was a long winded way to say that yes, we like it here. And we aren’t alone. While the larger population is transient, there is a core group of hippies, surfers, artists and professors that have chosen to make Isla Vista their permanent home.
OK, but what does any of this have to do with the time of Covid? Nothing really, except for an observation I’ve made about walking. Which is something a lot of us are doing more of now.
It’s no secret that walking is the absolute best way to become familiar with a place. But why? The low intensity exercise is stimulating, no doubt. But the real reason is that the speed you move through your environment while walking is perfectly aligned with the ability of your senses to take in and process information. Move too fast (as you do in a car or even cycling) and your sight becomes blurred, your sense of smell doesn’t have the time to pick up a lingering scent, sound is distorted or blocked by rushing wind or engine noise, and of course your are not actually touching the ground. Walking is the optimal state for all of the senses. It’s almost like we were made to do it.
Here is the silver lining of Covid times. To walk somewhere is to know it. To truly know something is to connect with and love that thing. Walking from your own home is one of the best ways to appreciate and love where you live in a way that, for example, driving to a place could never achieve. Over the last 6 months I’ve become so intimate with my direct surroundings that my feeling of “home” has expanded to the beach, the marsh, the fields and the trails I walk through them.
I feel lucky and privileged to live here.
Switching from Disqus to Commento
&& [ code ] && 1 comments
This website has been following the blog software hype train since it’s inception. The progression went like so:
- Facebook “posts” (discontinued)
- Blogger
- Blosxom - a very early static site generator, way ahead of it’s time.
- Wordpress
- Jekyll
- Hugo (current)
At the transition between Wordpress and Jekyll, like many others, I needed a solution for comments on a static site and Disqus was the clear choice. But then many of us learned that by using Disqus, we were allowing ads to be placed on our own pages. We were bogging down our websites with loads of third party trackers and possibly even violating our own reader’s privacy.
I started looking for alternatives recently (late, I know) and found Commento. It seems to cater to people who want to leave Disqus for the reasons I outlined above: privacy, performance and no ads.
Commento can be used as a service or it can be self hosted. The idea of self hosting the backend on my VPS was very appealing, so I gave it a shot. Overall, it was a pretty painless experience, especially when using the docker image. You simply spin it up with a postgres instance and set some config vars for things like email notifications, akismet integration, and google oauth. Then you place the script supplied from this backend on your page and it’s good to go.
Here are some links for people who would like to try self hosting Commento:
- Commento on GitLab
- The docs for self hosting
- Freecodecamp article on setting up 3rd party authentication (This is missing from the official docs)
- Note: The Disqus export takes a very long time, in my case 8 hours (!) for < 600 comments. It’s almost like they don’t want you to back up your data. I’d recommend queuing up a Disqus export first thing if you are planning to migrate off it.
Commento is very nice and I would not hesitate to pay for the hosted version (which I can always migrate to) if it weren’t for self hosting being interesting for me. You can check out the hosted service at commento.io.
Lil' Jay
&& [ birds ] && 0 comments
There is a Scrub Jay that likes to hang around our feeder we named Little Jay. Lots of birds hang around our feeder, and most of them don’t get names. But Little Jay is challenged, which makes him endearing. It also makes him easy to recognize.
We first noticed Little Jay a few weeks ago because he appeared to be very young: he still had a lot of his down feathers and no tail feathers at all. He was super awkward around the feeder and the surrounding perches. That’s when we noticed he had a bum leg, probably broken. He never uses it, which makes it difficult to move around sometimes.
Most of the time he shows up to the bird feeder alone (which is not unusual for a Scrub Jay) but he does come by often, much more often than any other Jays. If another Jay shows up to the feeder while he is there, he let’s them eat first. Even if he’s not at the feeder we can usually spot him sitting on power line or perch somewhere close by.
We hope he has not become dependent on our feeder, but it is in our minds as a possibility. We are hopeful for him though, as his down seems to slowly disappearing and there is a hint of a tail feather starting to show. Maybe his leg will eventually heal.
While I had always intellectually known that many species of bird stick to a single territory including the California Towhees, House Finches and Morning Doves that often visit us, Little Jay made the idea instinctual. He is a reminder that we may live in this place and pay the rent, but it is not our home alone.
Dear 2019, From 2020
&& [ other ] && 0 comments
Why do years only last for 12 months? Can’t they last a little longer?
Dear 2019,
You really should have stuck around. Which is funny, because the people living during my time didn’t seem to think you were very pleasant back then. Your news was full of dire circumstance, conflict and uncertainty. People were getting hurt, they were angry and scared. But as your successor, let me tell you, you had it easy.
You were the third year of power for a man who was very obsessed about building his wall. Does he even remember it now? I don’t think he does. Instead he’s moved on to focusing his hatred towards people living inside his own country as opposed to those trying to get in. But there are people that still remember, and won’t forget.
During your time planes started falling out of the sky causing many people to be scared around the world. But now people can’t fly anyway. And they have other things to be scared of. However, Boeing made some serious mistakes with the 737 Max. Was I a well timed break for them? Probably. But does their screw up deserve to be forgotten?
You gave rise to some serious protests in Hong Kong. The people there showed the world that they take issue with China’s quickly tightening grip on their free society. This wasn’t a problem isolated to you. In fact their plight has only gotten worse in in my year. It’s been hard for people in the US at least to keep paying attention when they have their own massive protests going on. They told me to tell you that they still remember you but that they have some stuff going on at home that they have to deal with right now.
2019, you are a perfect example of how no matter how bad things might seem, they can always get worse. Yes, I’m afraid I won’t be remembered very fondly. Bad timing I guess.
Yours truly,
-2020
Be Careful with Object.assign in Javascript
&& [ code, javascript ] && 0 comments
Immutability is important say the React docs. And of course this is correct, especially in the context of React, Vue.js and the like that depend on immutability to work correctly. It’s also a core facet of functional programming which is becoming more and more popular by the hour. But can you over do it?
Object.assign for the win?
One of the most popular tools for writing immutable code in Javascript is Object.assign().
Instead of mutating an object:
x = { baz: 'boo'}
x.foo = 'bar'
// x is now:
{foo: 'bar', baz: 'boo'}
We can use Object.assign to create a new object as a copy of an existing
object but with new values(s):
x = { baz: 'boo'}
y = Object.assign({}, {foo: 'bar'}, x)
//y is now:
{foo: 'bar', baz: 'boo'}
//x is still:
{ baz: 'boo'}
So why not just use Object.assign or the spread
operator
all the time thus removing mutability, side effects, and all that stuff that
functional programming teaches us is bad? Well, because performance can be
abysmal.
Take the following test suite using benchmark.js:
var Benchmark = require('benchmark')
const suite = new Benchmark.Suite;
const obj = { foo: 1, bar: 2 };
let mutObj = { foo: 1, bar: 2};
suite.
add('Object spread', function() {
({ baz: 3, ...obj});
}).
add('Object.assign()', function() {
Object.assign({}, { baz: 3 }, obj);
}).
add('Mutation', function() {
mutObj.baz = 3
}).
on('cycle', function(event) {
console.log(String(event.target));
}).
on('complete', function() {
console.log('Fastest is ' + this.filter('fastest').map('name'));
}).
run();
The results are telling:
Object spread x 18,041,542 ops/sec ±0.81% (85 runs sampled)\ Object.assign() x 12,785,551 ops/sec ±0.87% (89 runs sampled)\ Mutation x 780,033,935 ops/sec ±1.86% (84 runs sampled)\ Fastest is Mutation
We can see here that mutating an object is 65x faster than using Object.assign.
Which makes sense because Object.assign is creating an entire new object.
The difference is even more pronounced when using larger, nested objects:
const obj = {
foo: 1,
bar: 2,
lorem: 'ipsum, dolor, amet...',
nested: {
bird: 'yes',
mammal: 'no',
platypus: 'maybe',
}
}
Object spread x 7,612,732 ops/sec ±1.14% (85 runs sampled)\ Object.assign() x 7,264,250 ops/sec ±1.16% (87 runs sampled)\ Mutation x 769,863,543 ops/sec ±1.50% (82 runs sampled)\ Fastest is Mutation
Again, it makes intuitive sense that using Object.assign would be slower.
So is it a big deal? Probably not, as you’ll usually be using these slower, immutable patterns to work with React/Vue data in which the performance impact is not only negligible but necessary.
A real world example
I was recently asked to take a look at some very poorly performing pages in a Vue.js app. When I took a look I found some code that looked like this:
trackpoints[i] = new Object()
track.trackpoints.forEach(t => {
const temp = trackpoints[i]
const key = someFunction(t)
trackpoints[i] = Object.assign({}, temp, {
[key]: [t.foo, t.bar, t.baz]
})
})
return trackpoints
Let’s ignore the fact that this code could be replaced succinctly with reduce()
(and be more FP too). The problem is that track.trackpoints consists of 10s to
100s of thousands of objects. While the above code is technically immutable, it is
also creating a new Object per loop. Once the usage of Object.assign() was
removed, the performance issues went away.
To me this is a good lesson of why it’s not a good idea to be too dogmatic in programming. Programming languages are just tools to do a job and to a certain extent the way you write your code is as well.
Flask or Django? Which to Choose for your Project
&& [ code, django, flask, python ] && 0 comments
Often I get asked by fellow python developers why I chose Django/Flask for a particular project (usually by someone who prefers the framework I didn’t choose 😉). I think both frameworks are excellent and are well suited for a variety of use cases.
So how do I decide which to use for a new project? I found a simple heuristic to get 90% of the way to a final decision, and it’s pretty easy to follow:
Decide what features your project needs:
- User accounts
- An Object Relational Manager (ORM)
- Database Migrations
- User registration/social authentication
- An admin site
Does your project require 2 or more of these features?
If Yes => Choose Django
If No => Choose Flask
Flask is great for small, focused projects. Think microservices, APIs, or very small websites. But once you have to start hunting down and installing extensions like Flask Sqlalchemy and Flask User you quickly enter a situation where the “batteries included” approach of Django makes more sense. You are basically spending time re-implementing stuff that larger frameworks like Django ship with out the box, and that are very well integrated.
On the other hand, Django can be a huge overkill for some projects. Think of an API that accepts image uploads and returns thumbnails. You could use Django for such a task, but the amount of boilerplate and setup required would be ridiculous. One of the great things about Flask is the fact that an entire webapp can be written in a single file.
Of course like I said this heuristic only gets you 90% of the way. Every project has unique use cases and design constraints that must be taken into account before making a large decision like which tech stack to use.