Authentication example

[me21]

Now that there's an idea of creating separate web pages for different users, I feel that #15 needs a working authentication example.
I tried to apply Starlette AuthenticationMiddleware to no avail. I can post what I tried if you want. I think it's due to JustPy maintaining its own routing in addition to Starlette's one?..

I made my own solution that works (please note, it includes PrivatePage class from #6):

# could load/save session info to DB
class SessionInfo(UserDict):

    def __getitem__(self, item):
        if item not in self.data:
            self.data[item] = {}
        return super().__getitem__(item)

    def __setitem__(self, key, value):
        return super().__setitem__(key, value)


session_infos = SessionInfo()


# Creating a PrivatePage for some route will make page instances with different sessions independent.
class PrivatePage(ui.page):

    def __init__(self, route: str, setup_ui: Callable, *args, **kwargs):
        self.setup_ui, self.args, self.kwargs = setup_ui, args, kwargs
        if 'on_disconnect' in kwargs:
            del kwargs['on_disconnect']
        super().__init__(route, *args, **kwargs)
        self.individual_page_viewers: dict[str, int] = {}
        self.individual_pages: dict[str, ui.page] = {}

    async def on_disconnect(self, websocket: WebSocket):
        if 'on_disconnect' in self.kwargs:
            disconnect_handler = self.kwargs['on_disconnect']
            await disconnect_handler() if is_coroutine(disconnect_handler) else disconnect_handler()
        session_id = websocket.cookies['jp_token'].split('.')[0]
        self.individual_page_viewers[session_id] -= 1
        print(f'Viewer quit, session id {session_id}, total {self.individual_page_viewers[session_id]}')
        if self.individual_page_viewers[session_id] == 0:
            self.individual_pages.pop(session_id).remove_page()  # To reclaim used memory

    #TODO: override __enter__ and __exit__ to be able to use it in context manager like ordinary page?
    async def _route_function(self, request: Request):
        # we spawn additional page instance for each session id
        if request.session_id not in self.individual_pages:
            self.individual_pages[request.session_id] = ui.page(self.route,
                                                                *self.args,
                                                                on_disconnect=self.on_disconnect,
                                                                **self.kwargs)
            jp.Route.instances.pop(0)
            self.individual_page_viewers[request.session_id] = 0
            self.setup_ui(self.individual_pages[request.session_id])
        self.individual_page_viewers[request.session_id] += 1
        print(f'New viewer, session_id {request.session_id}, viewers {self.individual_page_viewers[request.session_id]}')
        return await self.individual_pages[request.session_id]._route_function(request)


class LoggedInMixin:
    async def _route_function(self, request: Request):
        if session_infos[request.session_id].get('authenticated', False):
            return await super()._route_function(request)
        else:
            return RedirectResponse(url='/login', status_code=303)


class LoggedInPage(LoggedInMixin, ui.page):
    pass


class LoggedInPrivatePage(LoggedInMixin, PrivatePage):
    pass


def connection(request: Request, page: ui.page):
    print(f'Session id: {request.session_id}')
    page.label.text = f'Hello {session_infos[request.session_id]["user"]}!'


def ws_connection(socket):
    session_id = socket.cookies['jp_token'].split('.')[0]
    route = socket.scope['path']


def setup_main_page(page: ui.page):
    with page:
        page.label = ui.label('Hello world')


main_page = LoggedInPrivatePage('/', on_connect=connection, on_page_ready=ws_connection, setup_ui=setup_main_page)


def login(args):
    # check password
    page = args.sender.page
    username = page.username.value
    password = page.password.value
    session_id = args.socket.cookies['jp_token'].split('.')[0]
    if (username == 'user1' and password == 'pass1') or (username == 'user2' and password == 'pass2'):
        session_infos[session_id] = {'authenticated': True, 'user': username}
        ui.open('/', args.socket)
    else:
        ui.open('/login', args.socket)


def setup_login_ui(page: ui.page):
    with page:
        page.username = ui.input('User Name').classes('w-full')
        page.password = ui.input('Password').classes('w-full').props('type=password')
        ui.button('Log in', on_click=login)


login_page = PrivatePage('/login', setup_ui=setup_login_ui)

ui.run()

It maintains session info on the server.

I was wondering if this approach is sound. Maybe it's better to store session data in a cookie? But I couldn't find a way to set a cookie in NiceGui.
Also since NiceGui is based on JustPy which is based on Starlette, I thought maybe there's a way to make standard Starlette AuthenticationMiddleware work?

[me21]

I also changed _route_function in the ui.page class to supply page argument:

    async def _route_function(self, request: Request):
        for connect_handler in connect_handlers + ([self.connect_handler] if self.connect_handler else []):
            arg_count = len(inspect.signature(connect_handler).parameters)
            is_coro = is_coroutine(connect_handler)
            if arg_count == 2:
                await connect_handler(request, self) if is_coro else connect_handler(request, self)
            elif arg_count == 1:
                await connect_handler(request) if is_coro else connect_handler(request)
            elif arg_count == 0:
                await connect_handler() if is_coro else connect_handler()
            else:
                raise ValueError(f'invalid number of arguments (0, 1 or 2 allowed, got {arg_count})')
        return self

because I couldn't find a way to get page instance from request object.

[falkoschindler]

Thanks for your contribution!

I think it's due to JustPy maintaining its own routing in addition to Starlette's one?..

As far as I know JustPy is currently migrating to Starlette's routing system: justpy-org/justpy#478 (comment)

So maybe these things will get easier. 🤞

[me21]

In the meantime, what do you think about my approach to session data? The code keeps all session data on the server, using just session_id to get the relevant data for the session. The SessionInfo class can go to the database, to server-local files, etc. to get the needed data.
I know it's possible to store additional data in cookies (it seems I can't set additional cookies in NiceGui for now?). On https://roadmap.sh/backend, there's a list of different authentication schemes, I'm not a dedicated back-end developer, so it's difficult to choose.

[falkoschindler]

Your approach seems reasonable. But I'm afraid I don't feel qualified to judge about different authentication schemes.

Regarding cookies: You might be able to store them using JustPy's run_javascript. NiceGUI's ui.page has also an async await_javascript which returns the result from the client. (I just noticed that this feature is not demonstrated in the documentation, yet...)

If cookies become an important but missing feature, we should add a new issue.

[falkoschindler]

I'll close this Show&Tell because it refers to an outdated NiceGUI version.