Skip to content

Instantly share code, notes, and snippets.

@bpostlethwaite
Forked from T4rk1n/dash_username_auth.md
Last active July 13, 2018 16:57
Show Gist options
  • Save bpostlethwaite/d28bb9428ba74f65706c5430a62dc7ec to your computer and use it in GitHub Desktop.
Save bpostlethwaite/d28bb9428ba74f65706c5430a62dc7ec to your computer and use it in GitHub Desktop.

Additional auth cookies:

  • dash_user
    • signed with itsdangerous.
    • the username appears in clear text in the cookie as user.TOKEN
  • dash_user_data
    • json web signature with itsdangerous.
    • The json web signature is not entirely safe, do not add sensitive data.

The users cookies have no expiry, they are validated by the python package itsdangerous.

New methods on Auth objects:

These methods must be called from a request context (a callback).

  • get_username
    • Get the username from the signed cookie.
  • set_username
    • PlotlyAuth calls this from the auth response to get the plotly username.
  • get_user_data
    • get the json metadata for the user.
    • Example: user_data = auth.get_user_data()
  • set_user_data
    • set custom json metadata for the user.
    • Example: auth.set_user_data({"last_login": time.time()})

is_authorized_hook

Use as a decorator to add a callback when is_authorized is called. Takes a single argument which is the response from the auth service response. is_authorized is called only when a user logs in. It must return a boolean to indicate if the user is_authorized. Can have multiple hooks.

other

  • Added more options to Oauth.create_cookie
    • httponly - only access the cookie from the server (default=True)
    • SameSite - prevent the browser from sending the cookie to other site (default='Strict')

Example

import dash
import dash_auth
import dash_html_components as html
from dash.dependencies import Output, Input

import requests

app = dash.Dash()
auth = dash_auth.PlotlyAuth(
    app, 'my_app', 'private',
    'http://localhost:8050')


app.layout = html.Div([
    html.Div(id='content'),
    html.Button('Need perms', id='btn'),
    html.Div(id='authorized')],
    id='container')


@app.callback(Output('content', 'children'), [Input('content', 'id')])
def _give_name(_):
    username = auth.get_username()
    return username


@auth.is_authorized_hook
def _is_authorized(data):
    active = data.get('is_active')
    if active:
        auth.set_user_data(data.get('ldap_dn'))
    return active

@app.callback(Output('authorized', 'children'), [Input('btn', 'n_clicks')])
def _check_perms(n_clicks):
    if n_clicks:
        perms = auth.get_user_data()
        perm_click_button = perms.get('click_button')
        if not perm_click_button:
            return 'unauthorized'
        else:
            return 'authorized'


if __name__ == '__main__':
    app.run_server(debug=True)
@thomhickey
Copy link

Figured it out - api key is required for these even though they are public apps.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment