A Quart extension to provide secure cookie authentication
Project description
Quart-Auth is an extension for Quart to provide for secure cookie authentication (session management). It allows for a session to be logged in, authenticated and logged out.
Usage
To use Quart-Auth with a Quart app you have to create an AuthManager and initialise it with the application,
app = Quart(__name__)
AuthManager(app)or via the factory pattern,
auth_manager = AuthManager()
def create_app():
app = Quart(__name__)
auth_manager.init_app(app)
return appIn addition you will need to configure Quart-Auth, which defaults to the most secure. At a minimum you will need to set secret key,
app.secret_key = "secret key" # Do not use this keywhich you can generate via,
>>> import secrets
>>> secrets.token_urlsafe(16)Tou may also need to disable secure cookies to use in development, see configuration below.
With AuthManager initialised you can use the login_required function to decorate routes that should only be accessed by authenticated users,
from quart_auth import login_required
@app.route("/")
@login_required
async def restricted_route():
...You can also use the login_user, and logout_user functions to start and end sessions for a specific AuthenticatedUser instance,
from quart_auth import AuthUser, login_user, logout_user
@app.route("/login")
async def login():
# Check Credentials here, e.g. username & password.
...
# We'll assume the user has an identifying ID equal to 2
login_user(AuthUser(2))
...
@app.route("/logout")
async def logout():
logout_user()
...Extending Quart-Auth
Quart-Auth is meant to be extended, much like Quart (and Flask), a good example of this is loading user data from a database,
from quart import Quart
from quart_auth import AuthUser, AuthManager, current_user, login_required
class User(AuthUser):
def __init__(self, auth_id):
super().__init__(auth_id)
self._resolved = False
self._email = None
async def _resolve(self):
if not self._resolved:
self._email = await db.fetch_email(self.auth_id)
self._resolved = True
@property
async def email(self):
await self._resolve()
return self._email
auth_manager = AuthManager()
auth_manager.user_class = User
app = Quart(__name__)
@app.route("/")
@login_required
async def index():
return await current_user.email
auth_manager.init_app(app)Auth ID
Quart-Auth authenticates using a str, auth_id, which can be set to the User ID. It is better not use the user’s ID in case the user’s session is compromised e.g. via a stolen phone, as the auth_id itself most be revoked to disable the session.
Configuration
The following configuration options are used by Quart-Auth,
Configuration key |
type |
default |
QUART_AUTH_COOKIE_DOMAIN |
Optional[str] |
None |
QUART_AUTH_COOKIE_NAME |
str |
QUART_AUTH |
QUART_AUTH_COOKIE_PATH |
str |
/ |
QUART_AUTH_COOKIE_HTTP_ONLY |
bool |
True |
QUART_AUTH_COOKIE_SAMESITE |
Union[None, “Strict”, “Lax”] |
Strict |
QUART_AUTH_COOKIE_SECURE |
bool |
True |
QUART_AUTH_DURATION |
int |
365 * 24 * 60 * 60 |
QUART_AUTH_SALT |
str |
quart auth salt |
The COOKIE related options refer directly to standard cookie options. In development it is likely that you’ll need to set QUART_AUTH_COOKIE_SECURE to False.
Contributing
Quart-Auth is developed on GitLab. You are very welcome to open issues or propose merge requests.
Testing
The best way to test Quart-Auth is with Tox,
$ pip install tox
$ toxthis will check the code style and run the tests.
Help
This README is the best place to start, after that try opening an issue.
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Hashes for quart_auth-0.2.0-py3-none-any.whl
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | c5105e0d9382d2971a473ce3e3db05d25d542aa74b82926db2b90898509eef56 |
|
| MD5 | 1f510e3c0f6fa14a5c9c008aa40cf7d6 |
|
| BLAKE2b-256 | 467b91113006a200295a0a7dbec1b852fb2c4cb357c494383109dbfb17f0cec5 |
