dash-auth-async 1.0.0__py3-none-any.whl

dash_auth_async/__init__.py

@@ -0,0 +1,24 @@
+from .public_routes import add_public_routes, public_callback
+from .basic_auth import BasicAuth
+from .group_protection import list_groups, check_groups, protected, protected_callback
+
+# oidc auth requires authlib, install with `pip install dash-auth[oidc]`
+try:
+    from .oidc_auth import OIDCAuth, get_oauth
+except ModuleNotFoundError:
+    pass
+from .version import __version__
+
+
+__all__ = [
+    "add_public_routes",
+    "check_groups",
+    "list_groups",
+    "get_oauth",
+    "protected",
+    "protected_callback",
+    "public_callback",
+    "BasicAuth",
+    "OIDCAuth",
+    "__version__",
+]

dash_auth_async/auth.py

@@ -0,0 +1,94 @@
+from __future__ import absolute_import
+from abc import ABC, abstractmethod
+from typing import Optional
+
+from dash import Dash
+from flask import request
+
+from .public_routes import (
+    add_public_routes,
+    get_public_callbacks,
+    get_public_routes,
+    get_url_base,
+)
+
+
+class Auth(ABC):
+    def __init__(self, app: Dash, public_routes: Optional[list] = None, **obsolete):
+        """Auth base class for authentication in Dash.
+
+        :param app: Dash app
+        :param public_routes: list of public routes, routes should follow the
+            Flask route syntax
+        """
+
+        # Deprecated arguments
+        if obsolete:
+            raise TypeError(f"Auth got unexpected keyword arguments: {list(obsolete)}")
+
+        self.app = app
+        self._protect()
+        if public_routes is not None:
+            add_public_routes(app, public_routes)
+
+    def _protect(self):
+        """Add a before_request authentication check on all routes.
+
+        The authentication check will pass if either
+            * The endpoint is marked as public via `add_public_routes`
+            * The request is authorised by `Auth.is_authorised`
+        """
+
+        server = self.app.server
+
+        @server.before_request
+        def before_request_auth():
+            public_routes = get_public_routes(self.app)
+            public_callbacks = get_public_callbacks(self.app)
+            url_base = get_url_base(self.app)
+            # Handle Dash's callback route:
+            # * Check whether the callback is marked as public
+            # * Check whether the callback is performed on route change in
+            #   which case the path should be checked against the public routes
+            callback_path = f"{url_base.rstrip('/')}/_dash-update-component"
+            if request.path == callback_path:
+                body = request.get_json(silent=True)
+
+                # Treat a missing or unparseable body as unauthorised rather
+                # than crashing with AttributeError/KeyError → 500.
+                if not body:
+                    return self.login_request()
+
+                # Check whether the callback is marked as public
+                if body.get("output") in public_callbacks:
+                    return None
+
+                # Check whether the callback has an input using the pathname,
+                # such a callback will be a routing callback and the pathname
+                # should be checked against the public routes
+                pathname = next(
+                    (
+                        inp.get("value")
+                        for inp in body["inputs"]
+                        if isinstance(inp, dict) and inp.get("property") == "pathname"
+                    ),
+                    None,
+                )
+                if pathname and public_routes.test(pathname):
+                    return None
+
+            # If the route is not a callback route, check whether the path
+            # matches a public route, or whether the request is authorised
+            if public_routes.test(request.path) or self.is_authorized():
+                return None
+
+            # Otherwise, ask the user to log in
+            return self.login_request()
+
+    @abstractmethod
+    def is_authorized(self):
+        pass
+
+    @abstractmethod
+    def login_request(self):
+        pass

dash_auth_async/basic_auth.py

@@ -0,0 +1,113 @@
+import base64
+import logging
+from typing import Dict, List, Optional, Union, Callable, cast
+import flask
+from dash import Dash
+
+from .auth import Auth
+
+UserGroups = Dict[str, List[str]]
+
+
+class BasicAuth(Auth):
+    def __init__(
+        self,
+        app: Dash,
+        username_password_list: Union[list, dict] | None = None,
+        auth_func: Callable | None = None,
+        public_routes: Optional[list] = None,
+        user_groups: Optional[Union[UserGroups, Callable[[str], UserGroups]]] = None,
+        secret_key: str | None = None,
+    ):
+        """Add basic authentication to Dash.
+
+        :param app: Dash app
+        :param username_password_list: username:password list, either as a
+            list of tuples or a dict
+        :param auth_func: python function accepting two string
+            arguments (username, password) and returning a
+            boolean (True if the user has access otherwise False).
+        :param public_routes: list of public routes, routes should follow the
+            Flask route syntax
+        :param user_groups: a dict or a function returning a dict
+            Optional group for each user, allowing to protect routes and
+            callbacks depending on user groups
+        :param secret_key: Flask secret key
+            A string to protect the Flask session, by default None.
+            It is required if you need to store the current user
+            in the session.
+            Generate a secret key in your Python session
+            with the following commands:
+            >>> import os
+            >>> import base64
+            >>> base64.b64encode(os.urandom(30)).decode('utf-8')
+            Note that you should not do this dynamically:
+            you should create a key and then assign the value of
+            that key in your code.
+        """
+        super().__init__(app, public_routes=public_routes)
+        self._auth_func = auth_func
+        if isinstance(user_groups, dict):
+            self._user_groups_dict: UserGroups | None = cast(UserGroups, user_groups)
+            self._user_groups_func: Callable[[str], UserGroups] | None = None
+        else:
+            self._user_groups_dict = None
+            self._user_groups_func = user_groups  # Callable or None after dict excluded
+        if secret_key is not None:
+            app.server.secret_key = secret_key
+
+        if self._auth_func is not None:
+            if username_password_list is not None:
+                raise ValueError(
+                    "BasicAuth can only use authorization function "
+                    "(auth_func kwarg) or username_password_list, "
+                    "it cannot use both."
+                )
+        else:
+            if username_password_list is None:
+                raise ValueError(
+                    "BasicAuth requires username/password map "
+                    "or user-defined authorization function."
+                )
+            else:
+                self._users = (
+                    username_password_list
+                    if isinstance(username_password_list, dict)
+                    else {k: v for k, v in username_password_list}
+                )
+
+    def is_authorized(self):
+        header = flask.request.headers.get("Authorization", None)
+        if not header:
+            return False
+        username_password = base64.b64decode(header.split("Basic ")[1])
+        username_password_utf8 = username_password.decode("utf-8")
+        username, password = username_password_utf8.split(":", 1)
+        authorized = False
+        if self._auth_func is not None:
+            try:
+                authorized = self._auth_func(username, password)
+            except Exception:
+                logging.exception("Error in authorization function.")
+                return False
+        else:
+            authorized = self._users.get(username) == password
+        if authorized:
+            try:
+                flask.session["user"] = {"email": username, "groups": []}
+                if self._user_groups_dict is not None:
+                    flask.session["user"]["groups"] = self._user_groups_dict.get(
+                        username, []
+                    )
+                elif self._user_groups_func is not None:
+                    flask.session["user"]["groups"] = self._user_groups_func(username)
+            except RuntimeError:
+                logging.warning("Session is not available. Have you set a secret key?")
+        return authorized
+
+    def login_request(self):
+        return flask.Response(
+            "Login Required",
+            headers={"WWW-Authenticate": 'Basic realm="User Visible Realm"'},
+            status=401,
+        )

dash_auth_async/group_protection.py

@@ -0,0 +1,214 @@
+import logging
+import re
+from typing import Any, Callable, List, Literal, Optional, Union
+
+import dash
+from dash.exceptions import PreventUpdate
+from flask import session, has_request_context
+
+
+OutputVal = Union[Callable[[], Any], Any]
+CheckType = Literal["one_of", "all_of", "none_of"]
+
+
+def list_groups(
+    *,
+    groups_key: str = "groups",
+    groups_str_split: str | None = None,
+) -> Optional[List[str]]:
+    """List all the groups the user belongs to.
+
+    :param groups_key: Groups key in the user data saved in the Flask session
+        e.g. session["user"] == {"email": "a.b@mail.com", "groups": ["admin"]}
+    :param groups_str_split: Used to split groups if provided as a string
+    :return: None or list[str]:
+        * None if the user is not authenticated
+        * list[str] otherwise
+    """
+    if not has_request_context() or "user" not in session:
+        return None
+
+    user_groups = session.get("user", {}).get(groups_key, [])
+    # Handle cases where groups are ,- or ;-separated string,
+    # may depend on OIDC provider
+    if isinstance(user_groups, str) and groups_str_split is not None:
+        user_groups = re.split(groups_str_split, user_groups)
+    return user_groups
+
+
+def check_groups(
+    groups: Optional[List[str]] = None,
+    *,
+    groups_key: str = "groups",
+    groups_str_split: str | None = None,
+    check_type: CheckType = "one_of",
+) -> Optional[bool]:
+    """Check whether the current user is authenticated
+    and has the specified groups.
+
+    :param groups: List of groups to check for with check_type
+    :param groups_key: Groups key in the user data saved in the Flask session
+        e.g. session["user"] == {"email": "a.b@mail.com", "groups": ["admin"]}
+    :param groups_str_split: Used to split groups if provided as a string
+    :param check_type: Type of check to perform.
+        Either "one_of", "all_of" or "none_of"
+    :return: None or boolean:
+        * None if the user is not authenticated
+        * True if the user is authenticated and has the right permissions
+        * False if the user is authenticated but does not have
+          the right permissions
+    """
+    user_groups = list_groups(
+        groups_key=groups_key,
+        groups_str_split=groups_str_split,
+    )
+
+    if user_groups is None:
+        # User is not authenticated
+        return None
+
+    if groups is None:
+        return True
+
+    if check_type == "one_of":
+        return bool(set(user_groups).intersection(groups))
+    if check_type == "all_of":
+        return all(group in user_groups for group in groups)
+    if check_type == "none_of":
+        return not any(group in user_groups for group in groups)
+
+    raise ValueError(f"Invalid check_type: {check_type}")
+
+
+def protected(
+    unauthenticated_output: OutputVal,
+    *,
+    missing_permissions_output: Optional[OutputVal] = None,
+    groups: Optional[List[str]] = None,
+    groups_key: str = "groups",
+    groups_str_split: str | None = None,
+    check_type: CheckType = "one_of",
+) -> Callable:
+    """Decorate a function or output to alter it depending on the state
+    of authentication and permissions.
+
+    :param unauthenticated_output: Output when the user is not authenticated.
+        Note: needs to be a function with no argument or static outputs.
+    :param missing_permissions_output: Output when the user is authenticated
+        but does not have the right permissions.
+        It defaults to unauthenticated_output when not set.
+        Note: needs to be a function with no argument or static outputs.
+    :param groups: List of authorized user groups. If no groups are passed,
+        the decorator will only check whether the user is authenticated.
+    :param groups_key: Groups key in the user data saved in the Flask session
+        e.g. session["user"] == {"email": "a.b@mail.com", "groups": ["admin"]}
+    :param groups_str_split: Used to split groups if provided as a string
+    :param check_type: Type of check to perform.
+        Either "one_of", "all_of" or "none_of"
+    """
+
+    if missing_permissions_output is None:
+        missing_permissions_output = unauthenticated_output
+
+    def decorator(output: OutputVal):
+        def wrap(*args, **kwargs):
+            def process_output(output, *args, **kwargs):
+                if isinstance(output, Callable):
+                    return output(*args, **kwargs)
+                return output
+
+            authorized = check_groups(
+                groups=groups,
+                groups_key=groups_key,
+                groups_str_split=groups_str_split,
+                check_type=check_type,
+            )
+            if authorized is None:
+                return process_output(unauthenticated_output)
+            if authorized:
+                return process_output(output, *args, **kwargs)
+            return process_output(missing_permissions_output)
+
+        if isinstance(output, Callable):
+            return wrap
+        return wrap()
+
+    return decorator
+
+
+def protected_callback(
+    *callback_args,
+    unauthenticated_output: Optional[OutputVal] = None,
+    missing_permissions_output: Optional[OutputVal] = None,
+    groups: List[str] | None = None,
+    groups_key: str = "groups",
+    groups_str_split: str | None = None,
+    check_type: CheckType = "one_of",
+    **callback_kwargs,
+) -> Callable:
+    """Protected Dash callback.
+
+    :param **: all args and kwargs passed to a Dash callback
+    :param unauthenticated_output: Output when the user is not authenticated.
+        **Note**: Needs to be a function with no argument or static outputs.
+        You can access the Dash callback context within the function call if
+        you need to use some of the inputs/states of the callback.
+        If left as None, it will simply raise PreventUpdate, stopping the
+        callback from processing.
+    :param missing_permissions_output: Output when the user is authenticated
+        but does not have the right permissions.
+        It defaults to unauthenticated_output when not set.
+        **Note**: Needs to be a function with no argument or static outputs.
+        You can access the Dash callback context within the function call if
+        you need to use some of the inputs/states of the callback.
+        If left as None, it will simply raise PreventUpdate, stopping the
+        callback from processing.
+    :param groups: List of authorized user groups
+    :param groups_key: Groups key in the user data saved in the Flask session
+        e.g. session["user"] == {"email": "a.b@mail.com", "groups": ["admin"]}
+    :param groups_str_split: Used to split groups if provided as a string
+    :param check_type: Type of check to perform.
+        Either "one_of", "all_of" or "none_of"
+    """
+
+    def decorator(func):
+        def prevent_unauthenticated():
+            logging.info(
+                "A user tried to run %s without being authenticated.",
+                func.__name__,
+            )
+            raise PreventUpdate
+
+        def prevent_unauthorised():
+            logging.info(
+                "%s tried to run %s but did not have the right permissions.",
+                session["user"]["email"],
+                func.__name__,
+            )
+            raise PreventUpdate
+
+        wrapped_func = dash.callback(*callback_args, **callback_kwargs)(
+            protected(
+                unauthenticated_output=(
+                    unauthenticated_output
+                    if unauthenticated_output is not None
+                    else prevent_unauthenticated
+                ),
+                missing_permissions_output=(
+                    missing_permissions_output
+                    if missing_permissions_output is not None
+                    else prevent_unauthorised
+                ),
+                groups=groups,
+                groups_key=groups_key,
+                groups_str_split=groups_str_split,
+                check_type=check_type,
+            )(func)
+        )
+
+        def wrap(*args, **kwargs):
+            return wrapped_func(*args, **kwargs)
+
+        return wrap
+
+    return decorator

dash_auth_async/oidc_auth.py

@@ -0,0 +1,333 @@
+import logging
+import os
+import re
+from typing import Optional, Union, TYPE_CHECKING
+
+import dash
+from authlib.integrations.base_client import OAuthError
+from authlib.integrations.flask_client import OAuth
+from dash_auth_async.auth import Auth
+from dash_auth_async.public_routes import get_url_base
+from flask import Response, redirect, request, session, url_for
+from werkzeug.routing import Map, Rule
+
+if TYPE_CHECKING:
+    from authlib.integrations.flask_client.apps import (
+        FlaskOAuth1App,
+        FlaskOAuth2App,
+    )
+
+
+class OIDCAuth(Auth):
+    """Implements auth via OpenID."""
+
+    def __init__(
+        self,
+        app: dash.Dash,
+        secret_key: str | None = None,
+        force_https_callback: Optional[Union[bool, str]] = None,
+        login_route: str = "/oidc/<idp>/login",
+        logout_route: str = "/oidc/logout",
+        callback_route: str = "/oidc/<idp>/callback",
+        idp_selection_route: str | None = None,
+        log_signins: bool = False,
+        public_routes: Optional[list] = None,
+        logout_page: Union[str, Response] | None = None,
+        secure_session: bool = False,
+    ):
+        """Secure a Dash app through OpenID Connect.
+
+        Parameters
+        ----------
+        app : Dash
+            The Dash app to secure
+        secret_key : str, optional
+            A string to protect the Flask session, by default None.
+            Generate a secret key in your Python session
+            with the following commands:
+            >>> import os
+            >>> import base64
+            >>> base64.b64encode(os.urandom(30)).decode('utf-8')
+            Note that you should not do this dynamically:
+            you should create a key and then assign the value of
+            that key in your code.
+        force_https_callback : Union[bool, str], optional
+            Whether to force redirection to https, by default None
+            This is useful when the HTTPS termination is upstream of the server
+            If a string is passed, this will check for the existence of
+            an envvar with that name and force https callback if it exists.
+        login_route : str, optional
+            The route for the login function, it requires a <idp>
+            placeholder, by default "/oidc/<idp>/login".
+        logout_route : str, optional
+            The route for the logout function, by default "/oidc/logout".
+        callback_route : str, optional
+            The route for the OIDC redirect URI, it requires a <idp>
+            placeholder, by default "/oidc/<idp>/callback".
+
+            NOTE: login_route, logout_route, and callback_route are
+            registered directly on the Flask server at the paths given here,
+            regardless of any ``url_base_pathname`` or
+            ``routes_pathname_prefix`` set on the Dash app. If your app is
+            deployed under a prefix (e.g. ``url_base_pathname="/app/"``), the
+            OIDC routes still live at the server root (e.g.
+            ``/oidc/<idp>/callback``), NOT under the prefix. Configure your
+            IDP's redirect URI accordingly.
+        idp_selection_route : str, optional
+            The route for the IDP selection function, by default None
+        log_signins : bool, optional
+            Whether to log signins, by default False
+        public_routes : list, optional
+            List of public routes, routes should follow the
+            Flask route syntax
+        logout_page : str or Response, optional
+            Page seen by the user after logging out,
+            by default None which will default to a simple logged out message
+        secure_session: bool, optional
+            Whether to ensure the session is secure, setting the flasck config
+            SESSION_COOKIE_SECURE and SESSION_COOKIE_HTTPONLY to True,
+            by default False
+
+        Raises
+        ------
+        Exception
+            Raise an exception if the app.server.secret_key is not defined
+        """
+        super().__init__(app, public_routes=public_routes)
+
+        if isinstance(force_https_callback, str):
+            self.force_https_callback = force_https_callback in os.environ
+        elif force_https_callback is not None:
+            self.force_https_callback = force_https_callback
+        else:
+            self.force_https_callback = False
+
+        self.login_route = login_route
+        self.logout_route = logout_route
+        self.callback_route = callback_route
+        self.log_signins = log_signins
+        self.idp_selection_route = idp_selection_route
+        self.logout_page = logout_page
+
+        if secret_key is not None:
+            app.server.secret_key = secret_key
+
+        if app.server.secret_key is None:
+            raise RuntimeError("""
+                app.server.secret_key is missing.
+                Generate a secret key in your Python session
+                with the following commands:
+                >>> import os
+                >>> import base64
+                >>> base64.b64encode(os.urandom(30)).decode('utf-8')
+                and assign it to the property app.server.secret_key
+                (where app is your dash app instance), or pass is as
+                the secret_key argument to OIDCAuth.__init__.
+                Note that you should not do this dynamically:
+                you should create a key and then assign the value of
+                that key in your code/via a secret.
+                """)
+
+        if secure_session:
+            app.server.config["SESSION_COOKIE_SECURE"] = True
+            app.server.config["SESSION_COOKIE_HTTPONLY"] = True
+
+        self.oauth = OAuth(app.server)
+
+        # Check that the login and callback rules have an <idp> placeholder
+        if not re.findall(r"/<idp>(?=/|$)", login_route):
+            raise Exception("The login route must contain a <idp> placeholder.")
+        if not re.findall(r"/<idp>(?=/|$)", callback_route):
+            raise Exception("The callback route must contain a <idp> placeholder.")
+
+        app.server.add_url_rule(
+            login_route,
+            endpoint="oidc_login",
+            view_func=self.login_request,
+            methods=["GET"],
+        )
+        app.server.add_url_rule(
+            logout_route,
+            endpoint="oidc_logout",
+            view_func=self.logout,
+            methods=["GET"],
+        )
+        app.server.add_url_rule(
+            callback_route,
+            endpoint="oidc_callback",
+            view_func=self.callback,
+            methods=["GET"],
+        )
+
+    def register_provider(self, idp_name: str, **kwargs):
+        """Register an OpenID Connect provider.
+
+        :param idp_name: The name of the provider
+        :param kwargs: Keyword arguments passed to OAuth.register.
+            See https://docs.authlib.org/en/latest/client/flask.html for
+            additional details.
+            Typical keyword arguments for OIDC include:
+            * client_id
+            * client_secret
+            * server_metadata_url
+            * token_endpoint_auth_method
+            * client_kwargs (defaults to {"scope": "openid email"})
+        """
+        if not re.match(r"^[\w\-\. ]+$", idp_name):
+            raise ValueError(
+                "`idp_name` should only contain letters, numbers, hyphens, "
+                "underscores, periods and spaces"
+            )
+        client_kwargs = kwargs.pop("client_kwargs", {})
+        client_kwargs.setdefault("scope", "openid email")
+        self.oauth.register(idp_name, client_kwargs=client_kwargs, **kwargs)
+
+    def get_oauth_client(self, idp: str):
+        """Get the OAuth client."""
+        if idp not in self.oauth._registry:
+            raise ValueError(f"'{idp}' is not a valid registered idp")
+
+        client: Union[FlaskOAuth1App, FlaskOAuth2App] = self.oauth.create_client(idp)
+        return client
+
+    def get_oauth_kwargs(self, idp: str):
+        """Get the OAuth kwargs."""
+        if idp not in self.oauth._registry:
+            raise ValueError(f"'{idp}' is not a valid registered idp")
+
+        kwargs: dict = self.oauth._registry[idp][1]
+        return kwargs
+
+    def _create_redirect_uri(self, idp: str):
+        """Create the redirect uri based on callback endpoint and idp."""
+        if self.force_https_callback:
+            redirect_uri = url_for(
+                "oidc_callback", idp=idp, _external=True, _scheme="https"
+            )
+        else:
+            redirect_uri = url_for("oidc_callback", idp=idp, _external=True)
+        host = request.headers.get("X-Forwarded-Host")
+        if host:
+            redirect_uri = redirect_uri.replace(request.host, host, 1)
+        return redirect_uri
+
+    def login_request(self, idp: str | None = None):
+        """Start the login process."""
+
+        # `idp` can be none here as login_request is called
+        # without arguments in the before_request hook
+        if idp not in self.oauth._registry:
+            # If only one provider is registered, we don't need to
+            # ask the user to pick one, just use the one
+            if len(self.oauth._registry) == 1:
+                idp = next(iter(self.oauth._clients))
+            # If there are several providers and a `idp_selection_route`
+            # was provided, redirect to it.
+            elif self.idp_selection_route:
+                return redirect(self.idp_selection_route)
+            else:
+                return (
+                    "Several OAuth providers are registered. Please choose one.",
+                    400,
+                )
+
+        redirect_uri = self._create_redirect_uri(idp)
+        oauth_client = self.get_oauth_client(idp)
+        oauth_kwargs = self.get_oauth_kwargs(idp)
+        return oauth_client.authorize_redirect(
+            redirect_uri,
+            **oauth_kwargs.get("authorize_redirect_kwargs", {}),
+        )
+
+    def logout(self):  # pylint: disable=C0116
+        """Logout the user."""
+        session.clear()
+        base_url = get_url_base(self.app) or "/"
+        page = (
+            self.logout_page
+            or f"""
+        <div style="display: flex; flex-direction: column;
+        gap: 0.75rem; padding: 3rem 5rem;">
+            <div>Logged out successfully</div>
+            <div><a href="{base_url}">Go back</a></div>
+        </div>
+        """
+        )
+        return page
+
+    def callback(self, idp: str):  # pylint: disable=C0116
+        """Handle the OIDC dance and post-login actions."""
+        if idp not in self.oauth._registry:
+            return f"'{idp}' is not a valid registered idp", 400
+
+        oauth_client = self.get_oauth_client(idp)
+        oauth_kwargs = self.get_oauth_kwargs(idp)
+        try:
+            token = oauth_client.authorize_access_token(
+                **oauth_kwargs.get("authorize_token_kwargs", {}),
+            )
+        except OAuthError as err:
+            return str(err), 401
+
+        user = token.get("userinfo")
+        return self.after_logged_in(user, idp, token)
+
+    def after_logged_in(self, user: Optional[dict], idp: str, token: dict):
+        """
+        Post-login actions after successful OIDC authentication.
+        For example, allows to pass custom attributes to the user session:
+        class MyOIDCAuth(OIDCAuth):
+            def after_logged_in(self, user, idp, token):
+                if user:
+                    user["params"] = value1
+                return super().after_logged_in(user, idp, token)
+        """
+        if user:
+            session["user"] = user
+            session["idp"] = idp
+            oauth_scope = self.get_oauth_client(idp).client_kwargs["scope"]
+            if "offline_access" in oauth_scope:
+                session["refresh_token"] = token.get("refresh_token")
+            if self.log_signins:
+                logging.info("User %s is logging in.", user.get("email"))
+
+        return redirect(get_url_base(self.app) or "/")
+
+    def is_authorized(self):  # pylint: disable=C0116
+        """Check whether ther user is authenticated."""
+
+        map_adapter = Map(
+            [
+                Rule(x)
+                for x in [
+                    self.login_route,
+                    self.logout_route,
+                    self.callback_route,
+                    self.idp_selection_route,
+                ]
+                if x
+            ]
+        ).bind("")
+        return map_adapter.test(request.path) or "user" in session
+
+
+def get_oauth(app: dash.Dash | None = None) -> OAuth:
+    """Retrieve the OAuth object.
+
+    :param app: dash.Dash
+        Dash app or None, if None the current app is used
+        calling `dash.get_app()`
+    """
+    if app is None:
+        app = dash.get_app()
+
+    oauth = getattr(app.server, "extensions", {}).get(
+        "authlib.integrations.flask_client"
+    )
+    if oauth is not None:
+        return oauth
+
+    raise RuntimeError(
+        "OAuth object is not yet defined. `OIDCAuth(app, **kwargs)` needs "
+        "to be run before `get_oauth` is called."
+    )

dash_auth_async/public_routes.py

@@ -0,0 +1,128 @@
+import inspect
+import os
+
+from dash import Dash, callback
+from dash._callback import GLOBAL_CALLBACK_MAP
+from dash import get_app
+from werkzeug.routing import Map, MapAdapter, Rule
+
+DASH_PUBLIC_ASSETS_EXTENSIONS = "js,css"
+BASE_PUBLIC_ROUTES = [
+    f"/assets/<path:path>.{ext}"
+    for ext in os.getenv(
+        "DASH_PUBLIC_ASSETS_EXTENSIONS",
+        DASH_PUBLIC_ASSETS_EXTENSIONS,
+    ).split(",")
+] + [
+    "/_dash-component-suites/<path:path>",
+    "/_dash-layout",
+    "/_dash-dependencies",
+    "/_favicon.ico",
+    "/_reload-hash",
+]
+PUBLIC_ROUTES = "PUBLIC_ROUTES"
+PUBLIC_CALLBACKS = "PUBLIC_CALLBACKS"
+
+
+def get_url_base(app: Dash) -> str:
+    """Return the URL prefix configured for the Dash app (e.g. '/app/').
+
+    Returns '' when no prefix is configured. Checks url_base_pathname first,
+    then requests_pathname_prefix, then routes_pathname_prefix. In normal Dash
+    usage these three values are always kept in sync by Dash itself; the
+    fallback order only matters in advanced deployments.
+
+    This reads from app.config at call time, so it must be invoked after the
+    Dash app's URL config is fully initialised. In particular, calling
+    add_public_routes() before url_base_pathname is set on the app will store
+    routes without the prefix and they will never match at request time.
+    """
+    return (
+        app.config.get("url_base_pathname")
+        or app.config.get("routes_pathname_prefix")
+        or ""
+    )
+
+
+def add_public_routes(app: Dash, routes: list):
+    """Add routes to the public routes list.
+
+    The routes passed should follow the Flask route syntax.
+    e.g. "/login", "/user/<user_id>/public"
+
+    Some routes are made public by default:
+    * All dash scripts (_dash-dependencies, _dash-component-suites/**)
+    * All dash mechanics routes (_dash-layout, _reload-hash)
+    * All assets with extension .css, .js, .svg, .jpg, .png, .gif, .webp
+      Note: you can modify the extension by setting the
+      `DASH_ASSETS_PUBLIC_EXTENSIONS` envvar (comma-separated list of
+      extensions, e.g. "js,css,svg").
+    * The favicon
+
+    If you use callbacks on your public routes, you should use dash_auth_async's
+    `public_callback` rather than the standard dash callback.
+
+    :param app: Dash app
+    :param routes: list of public routes to be added
+    """
+
+    public_routes = get_public_routes(app)
+    url_base = get_url_base(app)
+
+    if not public_routes.map._rules:
+        routes = BASE_PUBLIC_ROUTES + routes
+
+    for route in routes:
+        if url_base and not route.startswith(url_base):
+            route = url_base.rstrip("/") + route
+        public_routes.map.add(Rule(route))
+
+    app.server.config[PUBLIC_ROUTES] = public_routes
+
+
+def public_callback(*callback_args, **callback_kwargs):
+    """Public Dash callback.
+
+    This works by adding the callback id (from the callback map) to a list
+    of whitelisted callbacks in the Flask server's config.
+
+    :param **: all args and kwargs passed to a dash callback
+    """
+
+    def decorator(func):
+        wrapped_func = callback(*callback_args, **callback_kwargs)(func)
+        callback_id = next(
+            (
+                k
+                for k, v in GLOBAL_CALLBACK_MAP.items()
+                if inspect.getsource(v["callback"]) == inspect.getsource(func)
+            ),
+            None,
+        )
+        try:
+            app = get_app()
+            app.server.config[PUBLIC_CALLBACKS] = get_public_callbacks(app) + [
+                callback_id
+            ]
+        except Exception:
+            print(
+                "Could not set up the public callback as the Dash object "
+                "has not yet been instantiated."
+            )
+
+        def wrap(*args, **kwargs):
+            return wrapped_func(*args, **kwargs)
+
+        return wrap
+
+    return decorator
+
+
+def get_public_routes(app: Dash) -> MapAdapter:
+    """Retrieve the public routes."""
+    return app.server.config.get(PUBLIC_ROUTES, Map([]).bind(""))
+
+
+def get_public_callbacks(app: Dash) -> list:
+    """Retrieve the public callbacks ids."""
+    return app.server.config.get(PUBLIC_CALLBACKS, [])

dash_auth_async/version.py

@@ -0,0 +1 @@
+__version__ = "1.0.0"

dash_auth_async-1.0.0.dist-info/METADATA

@@ -0,0 +1,348 @@
+Metadata-Version: 2.4
+Name: dash-auth-async
+Version: 1.0.0
+Summary: Dash Authorization Package.
+Author-email: Jonas Schrage <119843859+joschrag@users.noreply.github.com>
+License: MIT
+Project-URL: Homepage, https://github.com/joschrag/dash-auth-async
+Project-URL: Original project, https://github.com/plotly/dash-auth
+Classifier: Development Status :: 5 - Production/Stable
+Classifier: Environment :: Web Environment
+Classifier: Framework :: Flask
+Classifier: Intended Audience :: Developers
+Classifier: Intended Audience :: Education
+Classifier: Intended Audience :: Financial and Insurance Industry
+Classifier: Intended Audience :: Healthcare Industry
+Classifier: Intended Audience :: Manufacturing
+Classifier: Intended Audience :: Science/Research
+Classifier: License :: OSI Approved :: MIT License
+Classifier: Programming Language :: Python
+Classifier: Programming Language :: Python :: 3
+Classifier: Programming Language :: Python :: 3.10
+Classifier: Programming Language :: Python :: 3.11
+Classifier: Programming Language :: Python :: 3.12
+Classifier: Programming Language :: Python :: 3.13
+Classifier: Programming Language :: Python :: 3.14
+Classifier: Topic :: Database :: Front-Ends
+Classifier: Topic :: Office/Business :: Financial :: Spreadsheet
+Classifier: Topic :: Scientific/Engineering :: Visualization
+Classifier: Topic :: Software Development :: Libraries :: Application Frameworks
+Classifier: Topic :: Software Development :: Widget Sets
+Requires-Python: >=3.10
+Description-Content-Type: text/markdown
+License-File: LICENSE
+Requires-Dist: authlib>=1.7.2
+Requires-Dist: dash>=2
+Requires-Dist: flask>=3.1.3
+Requires-Dist: requests[security]>=2.34.2
+Requires-Dist: werkzeug>=3.1.8
+Provides-Extra: oidc
+Requires-Dist: authlib; extra == "oidc"
+Dynamic: license-file
+
+## Dash Authorization and Login
+
+Maintained by [joschrag](https://github.com/joschrag/). Forked from [plotly/dash-auth](https://github.com/plotly/dash-auth) with the goal to add support for the new 4.x dash backends.
+
+License: MIT
+
+For local testing, install [uv](https://docs.astral.sh/uv/getting-started/installation/), then install the dev dependencies and run individual tests:
+
+```
+uv sync
+uv run pytest -k ba001
+```
+
+Note that Python 3.10 or greater is required.
+
+## Usage
+
+### Basic Authentication
+
+To add basic authentication, add the following to your Dash app:
+
+```python
+from dash import Dash
+from dash_auth_async import BasicAuth
+
+app = Dash(__name__)
+USER_PWD = {
+    "username": "password",
+    "user2": "useSomethingMoreSecurePlease",
+}
+BasicAuth(app, USER_PWD)
+```
+
+One can also use an authorization python function instead of a dictionary/list of usernames and passwords:
+
+```python
+from dash import Dash
+from dash_auth_async import BasicAuth
+
+def authorization_function(username, password):
+    if (username == "hello") and (password == "world"):
+        return True
+    else:
+        return False
+
+
+app = Dash(__name__)
+BasicAuth(app, auth_func = authorization_function)
+```
+
+### Public routes
+
+You can whitelist routes from authentication with the `add_public_routes` utility function,
+or by passing a `public_routes` argument to the Auth constructor.
+The public routes should follow [Flask's route syntax](https://flask.palletsprojects.com/en/2.3.x/quickstart/#routing).
+
+```python
+from dash import Dash
+from dash_auth_async import BasicAuth, add_public_routes
+
+app = Dash(__name__)
+USER_PWD = {
+    "username": "password",
+    "user2": "useSomethingMoreSecurePlease",
+}
+BasicAuth(app, USER_PWD, public_routes=["/"])
+
+add_public_routes(app, public_routes=["/user/<user_id>/public"])
+```
+
+NOTE: If you are using server-side callbacks on your public routes, you should also use dash_auth_async's new `public_callback` rather than the default Dash callback.
+Below is an example of a public route and callbacks on a multi-page Dash app using Dash's pages API:
+
+*app.py*
+```python
+from dash import Dash, html, dcc, page_container
+from dash_auth_async import BasicAuth
+
+app = Dash(__name__, use_pages=True, suppress_callback_exceptions=True)
+USER_PWD = {
+    "username": "password",
+    "user2": "useSomethingMoreSecurePlease",
+}
+BasicAuth(app, USER_PWD, public_routes=["/", "/user/<user_id>/public"])
+
+app.layout = html.Div(
+    [
+        html.Div(
+            [
+                dcc.Link("Home", href="/"),
+                dcc.Link("John Doe", href="/user/john_doe/public"),
+            ],
+            style={"display": "flex", "gap": "1rem", "background": "lightgray", "padding": "0.5rem 1rem"},
+        ),
+        page_container,
+    ],
+    style={"display": "flex", "flexDirection": "column"},
+)
+
+if __name__ == "__main__":
+    app.run(debug=True)
+```
+
+---
+*pages/home.py*
+```python
+from dash import Input, Output, html, register_page
+from dash_auth_async import public_callback
+
+register_page(__name__, "/")
+
+layout = [
+    html.H1("Home Page"),
+    html.Button("Click me", id="home-button"),
+    html.Div(id="home-contents"),
+]
+
+# Note the use of public callback here rather than the default Dash callback
+@public_callback(
+    Output("home-contents", "children"),
+    Input("home-button", "n_clicks"),
+)
+def home(n_clicks):
+    if not n_clicks:
+        return "You haven't clicked the button."
+    return "You clicked the button {} times".format(n_clicks)
+```
+
+---
+*pages/public_user.py*
+```python
+from dash import html, dcc, register_page
+
+register_page(__name__, path_template="/user/<user_id>/public")
+
+def layout(user_id: str):
+    return [
+        html.H1(f"User {user_id} (public)"),
+        dcc.Link("Authenticated user content", href=f"/user/{user_id}/private"),
+    ]
+```
+
+---
+*pages/private_user.py*
+```python
+from dash import html, register_page
+
+register_page(__name__, path_template="/user/<user_id>/private")
+
+def layout(user_id: str):
+    return [
+        html.H1(f"User {user_id} (authenticated only)"),
+        html.Div("Members-only information"),
+    ]
+```
+
+### OIDC Authentication
+
+To add authentication with OpenID Connect, you will first need to set up an OpenID Connect provider (IDP).
+This typically requires creating
+* An application in your IDP
+* Defining the redirect URI for your application, for testing locally you can use http://localhost:8050/oidc/callback
+* A client ID and secret for the application
+
+Once you have set up your IDP, you can add it to your Dash app as follows:
+
+```python
+from dash import Dash
+from dash_auth_async import OIDCAuth
+
+app = Dash(__name__)
+
+auth = OIDCAuth(app, secret_key="aStaticSecretKey!")
+auth.register_provider(
+    "idp",
+    token_endpoint_auth_method="client_secret_post",
+    # Replace the below values with your own
+    # NOTE: Do not hardcode your client secret!
+    client_id="<my-client-id>",
+    client_secret="<my-client-secret>",
+    server_metadata_url="<my-idp-.well-known-configuration>",
+)
+```
+
+Once this is done, connecting to your app will automatically redirect to the IDP login page.
+
+#### Multiple OIDC Providers
+
+For multiple OIDC providers, you can use `register_provider` to add new ones after the OIDCAuth has been instantiated.
+
+```python
+from dash import Dash, html
+from dash_auth_async import OIDCAuth
+from flask import request, redirect, url_for
+
+app = Dash(__name__)
+
+app.layout = html.Div([
+    html.Div("Hello world!"),
+    html.A("Logout", href="/oidc/logout"),
+])
+
+auth = OIDCAuth(
+    app,
+    secret_key="aStaticSecretKey!",
+    # Set the route at which the user will select the IDP they wish to login with
+    idp_selection_route="/login",
+)
+auth.register_provider(
+    "IDP 1",
+    token_endpoint_auth_method="client_secret_post",
+    client_id="<my-client-id>",
+    client_secret="<my-client-secret>",
+    server_metadata_url="<my-idp-.well-known-configuration>",
+)
+auth.register_provider(
+    "IDP 2",
+    token_endpoint_auth_method="client_secret_post",
+    client_id="<my-client-id2>",
+    client_secret="<my-client-secret2>",
+    server_metadata_url="<my-idp2-.well-known-configuration>",
+)
+
+@app.server.route("/login", methods=["GET", "POST"])
+def login_handler():
+    if request.method == "POST":
+        idp = request.form.get("idp")
+    else:
+        idp = request.args.get("idp")
+
+    if idp is not None:
+        return redirect(url_for("oidc_login", idp=idp))
+
+    return """<div>
+        <form>
+            <div>How do you wish to sign in:</div>
+            <select name="idp">
+                <option value="IDP 1">IDP 1</option>
+                <option value="IDP 2">IDP 2</option>
+            </select>
+            <input type="submit" value="Login">
+        </form>
+    </div>"""
+
+
+if __name__ == "__main__":
+    app.run(debug=True)
+```
+
+### User-group-based permissions
+
+`dash_auth_async` provides a convenient way to secure parts of your app based on user groups.
+
+The following utilities are defined:
+* `list_groups`: Returns the groups of the current user, or None if the user is not authenticated.
+* `check_groups`: Checks the current user groups against the provided list of groups.
+  Available group checks are `one_of`, `all_of` and `none_of`.
+  The function returns None if the user is not authenticated.
+* `protected`: A function decorator that modifies the output if the user is unauthenticated
+  or missing group permission.
+* `protected_callback`: A callback that only runs if the user is authenticated
+  and with the right group permissions.
+
+NOTE: user info is stored in the session so make sure you define a secret_key on the Flask server
+to use this feature.
+
+If you wish to use this feature with BasicAuth, you will need to define the groups for individual
+basicauth users:
+
+```python
+from dash_auth_async import BasicAuth
+
+app = Dash(__name__)
+USER_PWD = {
+    "username": "password",
+    "user2": "useSomethingMoreSecurePlease",
+}
+BasicAuth(
+    app,
+    USER_PWD,
+    user_groups={"user1": ["group1", "group2"], "user2": ["group2"]},
+    secret_key="Test!",
+)
+
+# You can also use a function to get user groups
+def check_user(username, password):
+    if username == "user1" and password == "password":
+        return True
+    if username == "user2" and password == "useSomethingMoreSecurePlease":
+        return True
+    return False
+
+def get_user_groups(user):
+    if user == "user1":
+        return ["group1", "group2"]
+    elif user == "user2":
+        return ["group2"]
+    return []
+
+BasicAuth(
+    app,
+    auth_func=check_user,
+    user_groups=get_user_groups,
+    secret_key="Test!",
+)
+```

dash_auth_async-1.0.0.dist-info/RECORD

@@ -0,0 +1,12 @@
+dash_auth_async/__init__.py,sha256=stLxnOHjkFi6DsiBtrcN9OgmXjqlquI6u7h6n2pa9mM,594
+dash_auth_async/auth.py,sha256=SGhzvNTOd_3XFlXKf7hkQawgZEplXX-Y61RAetTvUuo,3320
+dash_auth_async/basic_auth.py,sha256=mmsApoRY70TI5KcmNWIqbAEKuSuxyMJ82nf3L8gQcTQ,4653
+dash_auth_async/group_protection.py,sha256=S-dNJ-Oe6uiiNxbz-oSyW8ZRGePYHCfTzJ0FiOsIt_I,8041
+dash_auth_async/oidc_auth.py,sha256=tCnjyZu5WzTpnbDzJywz_Pp5vzaLKnOY2LZ9DxCRX_U,12893
+dash_auth_async/public_routes.py,sha256=UNQ2VYMmKoEr8ndlSpPUuABdQd4BL4JfMKEdmC4GUuQ,4103
+dash_auth_async/version.py,sha256=J-j-u0itpEFT6irdmWmixQqYMadNl1X91TxUmoiLHMI,22
+dash_auth_async-1.0.0.dist-info/licenses/LICENSE,sha256=0LSBkD8UPTZ8K0Smz10lC04UjSP7OHTpWPyXeS61dUQ,1102
+dash_auth_async-1.0.0.dist-info/METADATA,sha256=8tNY_gcfE4zoHejBsw-I29c2GFiHIWuTjksllq8Bj-Y,10340
+dash_auth_async-1.0.0.dist-info/WHEEL,sha256=aeYiig01lYGDzBgS8HxWXOg3uV61G9ijOsup-k9o1sk,91
+dash_auth_async-1.0.0.dist-info/top_level.txt,sha256=ij1JV4p2XDou9ara3XxqHRBGRSvIDKm7GG10fF6Bfww,16
+dash_auth_async-1.0.0.dist-info/RECORD,,

dash_auth_async-1.0.0.dist-info/WHEEL

@@ -0,0 +1,5 @@
+Wheel-Version: 1.0
+Generator: setuptools (82.0.1)
+Root-Is-Purelib: true
+Tag: py3-none-any
+

dash_auth_async-1.0.0.dist-info/licenses/LICENSE

@@ -0,0 +1,22 @@
+MIT License
+
+Copyright (c) 2017 Plotly, Inc.
+Copyright (c) 2025 Jonas Schrage
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

dash_auth_async-1.0.0.dist-info/top_level.txt

@@ -0,0 +1 @@
+dash_auth_async