Auto Reloading¶

Tired of restarting the server every time you change your code?The auto reloader can do this for you. Every time you edit a modulefile, the reloader restarts the server process and loads the newestversion of your code.

run(...,debug=True,reloader=True)

How it works: the main process will not start a server, but spawn a newchild process using the same command line arguments used to start themain process. All module-level code is executed at least twice! Becareful.

The child process will haveos.environ['BOTTLE_CHILD'] set toTrueand start as a normal non-reloading app server. As soon as any of theloaded modules changes, the child process terminates and is re-spawned bythe main process. Changes in template files will not trigger a reload.Please use debug mode to deactivate template caching.

Dynamic Routes¶

Routes that contain wildcards are calleddynamic routes (as opposed tostatic routes) and match more than one URL at the same time. A simple wildcard consists of a name enclosed in angle brackets (e.g.<name>) and accepts one or more characters up to the next slash (/). For example, the route/hello/<name> accepts requests for/hello/alice as well as/hello/bob, but not for/hello,/hello/ or/hello/mr/smith.

Each wildcard passes the covered part of the URL as a keyword argument to the request callback. You can use them right away and implement RESTful, nice-looking and meaningful URLs with ease. Here are some other examples along with the URLs they’d match:

@route('/wiki/<pagename>')# matches /wiki/Learning_Pythondefshow_wiki_page(pagename):...@route('/<action>/<user>')# matches /follow/defnulldefuser_api(action,user):...

Filters can be used to define more specific wildcards, and/or transform the covered part of the URL before it is passed to the callback. A filtered wildcard is declared as<name:filter> or<name:filter:config>. The syntax for the optional config part depends on the filter used.

The following filters are implemented by default and more may be added:

• :int matches (signed) digits only and converts the value to integer.

• :float similar to :int but for decimal numbers.

• :path matches all characters including the slash character in a non-greedy way and can be used to match more than one path segment.

• :re allows you to specify a custom regular expression in the config field. The matched value is not modified.

Let’s have a look at some practical examples:

@route('/object/<id:int>')defcallback(id):assertisinstance(id,int)@route('/show/<name:re:[a-z]+>')defcallback(name):assertname.isalpha()@route('/static/<path:path>')defcallback(path):returnstatic_file(path,...)

You can add your own filters as well. SeeRequest Routing for details.

HTTP Request Methods¶

The HTTP protocol defines severalrequest methods (sometimes referred to as “verbs”) for different tasks. GET is the default for all routes with no other method specified. These routes will match GET requests only. To handle other methods such as POST, PUT, DELETE or PATCH, add amethod keyword argument to theroute() decorator or use one of the five alternative decorators:get(),post(),put(),delete() orpatch().

The POST method is commonly used for HTML form submission. This example shows how to handle a login form using POST:

frombottleimportget,post,request# or route@get('/login')# or @route('/login')deflogin():return'''        <form action="/login" method="POST">            Username: <input name="username" type="text" />            Password: <input name="password" type="password" />            <input value="Login" type="submit" />        </form>    '''@post('/login')# or @route('/login', method='POST')defdo_login():username=request.forms.usernamepassword=request.forms.passwordifcheck_login(username,password):return"<p>Your login information was correct.</p>"else:return"<p>Login failed.</p>"

In this example the/login URL is linked to two distinct callbacks, one for GET requests and another for POST requests. The first one displays a HTML form to the user. The second callback is invoked on a form submission and checks the login credentials the user entered into the form. The use ofRequest.forms<BaseRequest.forms>isfurtherdescribedinthe:ref:`tutorial-request section.

Special Methods: HEAD and ANY

The HEAD method is used to ask for the response identical to the one that would correspond to a GET request, but without the response body. This is useful for retrieving meta-information about a resource without having to download the entire document. Bottle handles these requests automatically by falling back to the corresponding GET route and cutting off the request body, if present. You don’t have to specify any HEAD routes yourself.

Additionally, the non-standard ANY method works as a low priority fallback: Routes that listen to ANY will match requests regardless of their HTTP method but only if no other more specific route is defined. This is helpful forproxy-routes that redirect requests to more specific sub-applications.

To sum it up: HEAD requests fall back to GET routes and all requests fall back to ANY routes, but only if there is no matching route for the original request method. It’s as simple as that.

Theresponse Object¶

Response metadata such as the HTTP status code, response headers and cookies are stored in an object calledresponse up to the point where they are transmitted to the browser. You can manipulate these metadata directly or use the predefined helper methods to do so. The full API and feature list is described in the API section (seeBaseResponse), but the most common use cases and features are covered here, too.

Status Code

The HTTP status code controls the behavior of the browser and defaults to200OK. In most scenarios you won’t need to set theResponse.status attribute manually, but use theabort() helper or return anHTTPResponse instance with the appropriate status code. Any integer is allowed, but codes other than the ones defined by theHTTP specification will only confuse the browser and break standards.

Response Headers

Response headers such asCache-Control orLocation are defined viaResponse.set_header. This method takes two parameters, a header name and a value. The name part is case-insensitive:

@route('/wiki/<page>')defwiki(page):response.set_header('Content-Language','en')...

Most headers are unique, meaning that only one header per name is send to the client. Some special headers however are allowed to appear more than once in a response. To add an additional header, useResponse.add_header instead ofResponse.set_header:

response.set_header('Set-Cookie','name=value')response.add_header('Set-Cookie','name=value2')

Please note that this is just an example. If you want to work with cookies, readahead.

Redirects

To redirect a client to a different URL, you can send a303SeeOther response with theLocation header set to the new URL.redirect() does that for you:

frombottleimportroute,redirect@route('/wrong/url')defwrong():redirect("/right/url")

Cookies¶

A cookie is a named piece of text stored in the user’s browser profile. You can access previously defined cookies viaRequest.get_cookie and set new cookies withResponse.set_cookie:

@route('/hello')defhello_again():ifrequest.get_cookie("visited"):return"Welcome back! Nice to see you again"else:response.set_cookie("visited","yes")return"Hello there! Nice to meet you"

TheResponse.set_cookie method accepts a number of additional keyword arguments that control the cookies lifetime and behavior. Some of the most common settings are described here:

• max_age: Maximum age in seconds. (default:None)

• expires: A datetime object or UNIX timestamp. (default:None)

• domain: The domain that is allowed to read the cookie. (default: current domain)

• path: Limit the cookie to a given path (default:/)

• secure: Limit the cookie to HTTPS connections (default: off).

• httponly: Prevent client-side javascript to read this cookie (default: off, requires Python 2.7 or newer).

• samesite: Disables third-party use for a cookie. Allowed attributes:lax andstrict. In strict mode the cookie will never be sent. In lax mode the cookie is only sent with a top-level GET request.

If neitherexpires normax_age is set, the cookie expires at the end of the browser session or as soon as the browser window is closed. There are some other gotchas you should consider when using cookies:

• Cookies are limited to 4 KB of text in most browsers.

• Some users configure their browsers to not accept cookies at all. Most search engines ignore cookies too. Make sure that your application still works without cookies.

• Cookies are stored at client side and are not encrypted in any way. Whatever you store in a cookie, the user can read it. Worse than that, an attacker might be able to steal a user’s cookies throughXSS vulnerabilities on your side. Some viruses are known to read the browser cookies, too. Thus, never store confidential information in cookies.

• Cookies are easily forged by malicious clients. Do not trust cookies.

Signed Cookies

As mentioned above, cookies are easily forged by malicious clients. Bottle can cryptographically sign your cookies to prevent this kind of manipulation. All you have to do is to provide a signature key via thesecret keyword argument whenever you read or set a cookie and keep that key a secret. As a result,Request.get_cookie will returnNone if the cookie is not signed or the signature keys don’t match:

@route('/login')defdo_login():username=request.forms.get('username')password=request.forms.get('password')ifcheck_login(username,password):response.set_cookie("account",username,secret='some-secret-key')returntemplate("<p>Welcome {{name}}! You are now logged in.</p>",name=username)else:return"<p>Login failed.</p>"@route('/restricted')defrestricted_area():username=request.get_cookie("account",secret='some-secret-key')ifusername:returntemplate("Hello {{name}}. Welcome back.",name=username)else:return"You are not logged in. Access denied."

In addition, Bottle automatically pickles and unpickles any data stored to signed cookies. This allows you to store any pickle-able object (not only strings) to cookies, as long as the pickled data does not exceed the 4 KB limit.

HTTP Headers¶

All HTTP headers sent by the client (e.g.Referer,Agent orAccept-Language) are stored in aWSGIHeaderDict and accessible through theRequest.headers attribute. AWSGIHeaderDict is basically a dictionary with case-insensitive keys:

frombottleimportroute,request@route('/is_ajax')defis_ajax():ifrequest.headers.get('X-Requested-With')=='XMLHttpRequest':return'This is an AJAX request'else:return'This is a normal request'

Cookies¶

Cookies are small pieces of text stored in the clients browser and sent back to the server with each request. They are useful to keep some state around for more than one request (HTTP itself is stateless), but should not be used for security related stuff. They can be easily forged by the client.

All cookies sent by the client are available throughRequest.cookies (aFormsDict). This example shows a simple cookie-based view counter:

frombottleimportroute,request,response@route('/counter')defcounter():count=int(request.cookies.get('counter','0'))count+=1response.set_cookie('counter',str(count))return'You visited this page%d times'%count

TheRequest.get_cookie method is a different way do access cookies. It supports decodingsigned cookies as described in a separate section.

Query parameters, Forms and File uploads¶

Query and form data is parsed on demand and accessible viarequest properties and methods. Some of those properties combine values from different sources for easier access. Have a look at the following table for a quick overview.

IntroducingFormsDict

Bottle uses a special type of dictionary to store those parameters.FormsDict behaves like a normal dictionary, but has some additional features to make your life easier.

First of all,FormsDict is a subclass ofMultiDict and can store more than one value per key. Only the first value is returned by default, butMultiDict.getall() can be used to get a (possibly empty) list of all values for a specific key:

forchoiceinrequest.forms.getall('multiple_choice'):do_something(choice)

Attribute-like access is also supported, returning empty strings for missing values. This simplifies code a lot whend ealing with lots of optional attributes:

name=request.query.name# may be an empty string

A word on unicode and character encodings

Unicode characters in the request path, query parameters or cookies are a bit tricky. HTTP is a very old byte-based protocol that predates unicode and lacks explicit encoding information. This is why WSGI servers have to fall back onISO-8859-1 (akalatin1, a reversible input encoding) for those estrings. Modern browsers default toutf8, though. It’s a bit much to ask application developers to translate every single user input string to the correct encoding manually. Bottle makes this easy and just assumesutf8 for everything. All strings returned by Bottle APIs support the full range of unicode characters, as long as the webpage or HTTP client follows best practices and does not break with established standards.

Query Parameters¶

The query string (as in/forum?id=1&page=5) is commonly used to transmit a small number of key/value pairs to the server. You can use theRequest.query attribute (aFormsDict) to access these values and theRequest.query_string attribute to get the whole string.

frombottleimportroute,request,response,template@route('/forum')defdisplay_forum():forum_id=request.query.idpage=request.query.pageor'1'returntemplate('Forum ID: {{id}} (page {{page}})',id=forum_id,page=page)

HTML<form> Handling¶

Let us start from the beginning. In HTML, a typical<form> looks something like this:

<formaction="/login"method="post">    Username:<inputname="username"type="text"/>    Password:<inputname="password"type="password"/><inputvalue="Login"type="submit"/></form>

Theaction attribute specifies the URL that will receive the form data.method defines the HTTP method to use (GET orPOST). Withmethod="get" the form values are appended to the URL and available throughRequest.query as described above. This is sometimes considered insecure and has other limitations, so we usemethod="post" here. If in doubt, usePOST forms.

Form fields transmitted viaPOST are stored inRequest.forms as aFormsDict. The server side code may look like this:

frombottleimportroute,request@route('/login')deflogin():return'''        <form action="/login" method="post">            Username: <input name="username" type="text" />            Password: <input name="password" type="password" />            <input value="Login" type="submit" />        </form>    '''@route('/login',method='POST')defdo_login():username=request.forms.usernamepassword=request.forms.passwordifcheck_login(username,password):return"<p>Your login information was correct.</p>"else:return"<p>Login failed.</p>"

File Uploads¶

To support file uploads, we have to change the<form> tag a bit. First, we tell the browser to encode the form data in a different way by adding anenctype="multipart/form-data" attribute to the<form> tag. Then, we add<inputtype="file"/> tags to allow the user to select a file. Here is an example:

<formaction="/upload"method="post"enctype="multipart/form-data">  Category:<inputtype="text"name="category"/>  Select a file:<inputtype="file"name="upload"/><inputtype="submit"value="Start upload"/></form>

Bottle stores file uploads inRequest.files asFileUpload instances, along with some metadata about the upload. Let us assume you just want to save the file to disk:

@route('/upload',method='POST')defdo_upload():category=request.forms.categoryupload=request.files.get('upload')name,ext=os.path.splitext(upload.filename)ifextnotin('.png','.jpg','.jpeg'):return'File extension not allowed.'save_path=get_save_path_for_category(category)upload.save(save_path)# appends upload.filename automaticallyreturn'OK'

FileUpload.filename contains the name of the file on the clients file system, but is cleaned up and normalized to prevent bugs caused by unsupported characters or path segments in the filename. If you need the unmodified name as sent by the client, have a look atFileUpload.raw_filename.

TheFileUpload.save method is highly recommended if you want to store the file to disk. It prevents some common errors (e.g. it does not overwrite existing files unless you tell it to) and stores the file in a memory efficient way. You can access the file object directly viaFileUpload.file. Just be careful.

JSON¶

For JavaScript and REST APIs it is very common to sendapplication/json to the server instead of from data.TheRequest.json attribute contains the parsed data structure if available, orNone for emptyrequests or those that did not containapplication/json data. Parsing errors trigger an appropiateHTTPError.

Raw Request Data¶

You can access the raw body data as a file-like object viaRequest.body. This is aio.BytesIO buffer or a temporary file depending on the content length andRequest.MEMFILE_MAX setting. In both cases the body is completely buffered before you can access the attribute. If you expect huge amounts of data and want to get direct unbuffered access to the stream, have a look atrequest['wsgi.input'].

WSGI Environment¶

EachBaseRequest instance wraps a WSGI environment dictionary which is stored inRequest.environ. Most of the interesting information is also exposed through special methods or properties, but if you want to access the rawWSGI environ directly, you can do so:

@route('/my_ip')defshow_ip():ip=request.environ.get('REMOTE_ADDR')# or ip = request.get('REMOTE_ADDR')# or ip = request['REMOTE_ADDR']returntemplate("Your IP is: {{ip}}",ip=ip)