dash_user
- signed with
itsdangerous
. - the username appears in clear text in the cookie as
user.TOKEN
- signed with
dash_user_data
- json web signature with
itsdangerous
. - The json web signature is not entirely safe, do not add sensitive data.
- json web signature with
The users cookies have no expiry, they are validated by the python package itsdangerous
.
These methods must be called from a request context (a callback).
- get_username
- Get the username from the signed cookie.
- set_username
- PlotlyAuth calls this from the auth response to get the plotly username.
- get_user_data
- get the json metadata for the user.
- Example:
user_data = auth.get_user_data()
- set_user_data
- set custom json metadata for the user.
- Example:
auth.set_user_data({"last_login": time.time()})
Use as a decorator to add a callback when is_authorized
is called. Takes a single argument which is the response from the auth service response. is_authorized
is called only when a user logs in. It must return a boolean to indicate if the user is_authorized. Can have multiple hooks.
- Added more options to
Oauth.create_cookie
- httponly - only access the cookie from the server
(default=True)
- SameSite - prevent the browser from sending the cookie to other site
(default='Strict')
- httponly - only access the cookie from the server
import dash
import dash_auth
import dash_html_components as html
from dash.dependencies import Output, Input
import requests
app = dash.Dash()
auth = dash_auth.PlotlyAuth(
app, 'my_app', 'private',
'http://localhost:8050')
app.layout = html.Div([
html.Div(id='content'),
html.Button('Need perms', id='btn'),
html.Div(id='authorized')],
id='container')
@app.callback(Output('content', 'children'), [Input('content', 'id')])
def _give_name(_):
username = auth.get_username()
return username
@auth.is_authorized_hook
def _is_authorized(data):
active = data.get('is_active')
if active:
auth.set_user_data(data.get('ldap_dn'))
return active
@app.callback(Output('authorized', 'children'), [Input('btn', 'n_clicks')])
def _check_perms(n_clicks):
if n_clicks:
perms = auth.get_user_data()
perm_click_button = perms.get('click_button')
if not perm_click_button:
return 'unauthorized'
else:
return 'authorized'
if __name__ == '__main__':
app.run_server(debug=True)
Figured it out - api key is required for these even though they are public apps.