fps_auth 0.9.5__tar.gz

fps_auth-0.9.5/COPYING.md

@@ -0,0 +1,59 @@
+# Licensing terms
+
+This project is licensed under the terms of the Modified BSD License
+(also known as New or Revised or 3-Clause BSD), as follows:
+
+- Copyright (c) 2021-, Jupyter Development Team
+
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are met:
+
+Redistributions of source code must retain the above copyright notice, this
+list of conditions and the following disclaimer.
+
+Redistributions in binary form must reproduce the above copyright notice, this
+list of conditions and the following disclaimer in the documentation and/or
+other materials provided with the distribution.
+
+Neither the name of the Jupyter Development Team nor the names of its
+contributors may be used to endorse or promote products derived from this
+software without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
+ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE
+FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
+OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+## About the Jupyter Development Team
+
+The Jupyter Development Team is the set of all contributors to the Jupyter project.
+This includes all of the Jupyter subprojects.
+
+The core team that coordinates development on GitHub can be found here:
+https://github.com/jupyter/.
+
+## Our Copyright Policy
+
+Jupyter uses a shared copyright model. Each contributor maintains copyright
+over their contributions to Jupyter. But, it is important to note that these
+contributions are typically only changes to the repositories. Thus, the Jupyter
+source code, in its entirety is not the copyright of any single person or
+institution. Instead, it is the collective copyright of the entire Jupyter
+Development Team. If individual contributors want to maintain a record of what
+changes/contributions they have specific copyright on, they should indicate
+their copyright in the commit message of the change, when they commit the
+change to one of the Jupyter repositories.
+
+With this in mind, the following banner should be used in any source code file
+to indicate the copyright and license terms:
+
+    # Copyright (c) Jupyter Development Team.
+    # Distributed under the terms of the Modified BSD License.

fps_auth-0.9.5/PKG-INFO

@@ -0,0 +1,30 @@
+Metadata-Version: 2.4
+Name: fps_auth
+Version: 0.9.5
+Summary: An FPS plugin for the authentication API
+Keywords: jupyter,server,fastapi,plugins
+Author: Jupyter Development Team
+Author-email: Jupyter Development Team <jupyter@googlegroups.com>
+License-Expression: BSD-3-Clause
+License-File: COPYING.md
+Classifier: Development Status :: 5 - Production/Stable
+Classifier: Intended Audience :: Developers
+Classifier: License :: OSI Approved :: BSD License
+Classifier: Programming Language :: Python
+Classifier: Programming Language :: Python :: 3.10
+Classifier: Programming Language :: Python :: 3.11
+Classifier: Programming Language :: Python :: 3.12
+Classifier: Programming Language :: Python :: 3.13
+Classifier: Programming Language :: Python :: 3.14
+Classifier: Programming Language :: Python :: Implementation :: CPython
+Classifier: Programming Language :: Python :: Implementation :: PyPy
+Requires-Dist: aiosqlite
+Requires-Dist: fastapi-users[sqlalchemy,oauth]>=14.0.1,<15.0.0
+Requires-Dist: jupyverse-api>=0.12.0,<0.13.0
+Requires-Python: >=3.10
+Project-URL: Homepage, https://jupyter.org
+Description-Content-Type: text/markdown
+
+# fps-auth
+
+An FPS plugin for the authentication API.

fps_auth-0.9.5/README.md

@@ -0,0 +1,3 @@
+# fps-auth
+
+An FPS plugin for the authentication API.

fps_auth-0.9.5/pyproject.toml

@@ -0,0 +1,45 @@
+[build-system]
+requires = ["uv_build"]
+build-backend = "uv_build"
+
+[project]
+name = "fps_auth"
+version = "0.9.5"
+description = "An FPS plugin for the authentication API"
+keywords = ["jupyter", "server", "fastapi", "plugins"]
+requires-python = ">=3.10"
+classifiers = [
+  "Development Status :: 5 - Production/Stable",
+  "Intended Audience :: Developers",
+  "License :: OSI Approved :: BSD License",
+  "Programming Language :: Python",
+  "Programming Language :: Python :: 3.10",
+  "Programming Language :: Python :: 3.11",
+  "Programming Language :: Python :: 3.12",
+  "Programming Language :: Python :: 3.13",
+  "Programming Language :: Python :: 3.14",
+  "Programming Language :: Python :: Implementation :: CPython",
+  "Programming Language :: Python :: Implementation :: PyPy",
+]
+dependencies = [
+  "aiosqlite",
+  "fastapi-users[sqlalchemy,oauth] >=14.0.1,<15.0.0",
+  "jupyverse-api >=0.12.0,<0.13.0",
+]
+license = "BSD-3-Clause"
+license-files = ["COPYING.md"]
+
+[[project.authors]]
+name = "Jupyter Development Team"
+email = "jupyter@googlegroups.com"
+
+[project.readme]
+file = "README.md"
+content-type = "text/markdown"
+
+[project.urls]
+Homepage = "https://jupyter.org"
+
+[project.entry-points]
+"fps.modules" = {auth = "fps_auth.main:AuthModule"}
+"jupyverse.modules" = {auth = "fps_auth.main:AuthModule"}

fps_auth-0.9.5/src/fps_auth/__init__.py

@@ -0,0 +1,6 @@
+import importlib.metadata
+
+try:
+    __version__ = importlib.metadata.version("fps_auth")
+except importlib.metadata.PackageNotFoundError:
+    __version__ = "unknown"

fps_auth-0.9.5/src/fps_auth/backends.py

@@ -0,0 +1,292 @@
+import uuid
+from dataclasses import dataclass
+from typing import Any, Generic, cast
+
+import httpx
+from fastapi import Depends, HTTPException, Response, WebSocket, status
+from fastapi_users import (
+    BaseUserManager,
+    FastAPIUsers,
+    UUIDIDMixin,
+    models,
+)
+from fastapi_users.authentication import (
+    AuthenticationBackend,
+    CookieTransport,
+    JWTStrategy,
+)
+from fastapi_users.authentication.strategy.base import Strategy
+from fastapi_users.authentication.transport.base import Transport
+from fastapi_users.db import SQLAlchemyUserDatabase
+from httpx_oauth.clients.github import GitHubOAuth2
+from jupyverse_api.exceptions import RedirectException
+from jupyverse_api.frontend import FrontendConfig
+from starlette.requests import Request
+
+from .config import _AuthConfig
+from .db import User
+from .models import UserCreate, UserRead
+
+
+@dataclass
+class Res:
+    cookie_authentication: Any
+    current_user: Any
+    update_user: Any
+    fapi_users: Any
+    get_user_manager: Any
+    github_authentication: Any
+    github_cookie_authentication: Any
+    websocket_auth: Any
+
+
+def get_backend(auth_config: _AuthConfig, frontend_config: FrontendConfig, db) -> Res:
+    class NoAuthScheme:
+        def __call__(self):
+            return "noauth"
+
+    class NoAuthTransport(Transport):
+        scheme = NoAuthScheme()  # type: ignore
+
+        async def get_login_response(self, token: str) -> Response:
+            return Response()
+
+        async def get_logout_response(self) -> Response:
+            return Response()
+
+        @staticmethod
+        def get_openapi_login_responses_success():
+            pass
+
+        @staticmethod
+        def get_openapi_logout_responses_success():
+            pass
+
+    class NoAuthStrategy(Strategy, Generic[models.UP, models.ID]):
+        async def read_token(
+            self, token: str | None, user_manager: BaseUserManager[models.UP, models.ID]
+        ) -> models.UP | None:
+            active_user = await user_manager.user_db.get_by_email(auth_config.global_email)
+            return active_user
+
+        async def write_token(self, user: models.UP):
+            pass
+
+        async def destroy_token(self, token: str, user: models.UP):
+            pass
+
+    class GitHubTransport(CookieTransport):
+        async def get_login_response(self, token: str) -> Response:
+            response = await super().get_login_response(token)
+            response.status_code = status.HTTP_302_FOUND
+            response.headers["Location"] = "/lab"
+            return response
+
+    def get_noauth_strategy() -> NoAuthStrategy:
+        return NoAuthStrategy()
+
+    def get_jwt_strategy() -> JWTStrategy:
+        return JWTStrategy(secret=db.secret, lifetime_seconds=None)
+
+    noauth_authentication = AuthenticationBackend(
+        name="noauth",
+        transport=NoAuthTransport(),
+        get_strategy=get_noauth_strategy,
+    )
+
+    cookie_authentication = AuthenticationBackend(
+        name="cookie",
+        transport=CookieTransport(cookie_secure=auth_config.cookie_secure),
+        get_strategy=get_jwt_strategy,
+    )
+
+    github_cookie_authentication = AuthenticationBackend(
+        name="github",
+        transport=GitHubTransport(),
+        get_strategy=get_jwt_strategy,
+    )
+
+    github_authentication = GitHubOAuth2(auth_config.client_id, auth_config.client_secret)
+
+    class UserManager(UUIDIDMixin, BaseUserManager[User, uuid.UUID]):
+        async def on_after_register(self, user: User, request: Request | None = None):
+            for oauth_account in await user.awaitable_attrs.oauth_accounts:
+                if oauth_account.oauth_name == "github":
+                    async with httpx.AsyncClient() as client:
+                        r = (
+                            await client.get(
+                                f"https://api.github.com/user/{oauth_account.account_id}"
+                            )
+                        ).json()
+
+                    await self.user_db.update(
+                        user,
+                        dict(
+                            anonymous=False,
+                            username=r["login"],
+                            color=None,
+                            avatar_url=r["avatar_url"],
+                            is_active=True,
+                        ),
+                    )
+
+    async def get_user_manager(user_db: SQLAlchemyUserDatabase = Depends(db.get_user_db)):
+        yield UserManager(user_db)
+
+    def get_enabled_backends():
+        if auth_config.mode == "noauth" and not frontend_config.collaborative:
+            res = [noauth_authentication, github_cookie_authentication]
+        else:
+            res = [cookie_authentication, github_cookie_authentication]
+        return res
+
+    fapi_users = FastAPIUsers[User, uuid.UUID](
+        get_user_manager,
+        [
+            noauth_authentication,
+            cookie_authentication,
+            github_cookie_authentication,
+        ],
+    )
+
+    async def create_guest(user_manager):
+        # workspace and settings are copied from global user
+        # but this is a new user
+        global_user = await user_manager.get_by_email(auth_config.global_email)
+        user_id = str(uuid.uuid4())
+        guest = dict(
+            anonymous=True,
+            email=f"{user_id}@jupyter.com",
+            username=f"{user_id}@jupyter.com",
+            password="",
+            workspace=global_user.workspace,
+            settings=global_user.settings,
+            permissions={},
+        )
+        return await user_manager.create(UserCreate(**guest))
+
+    def current_user(permissions: dict[str, list[str]] | None = None):
+        async def _(
+            response: Response,
+            token: str | None = None,
+            user: User | None = Depends(
+                fapi_users.current_user(optional=True, get_enabled_backends=get_enabled_backends)
+            ),
+            user_manager: BaseUserManager[User, models.ID] = Depends(get_user_manager),
+        ):
+            if auth_config.mode == "user":
+                # "user" authentication: check authorization
+                if user and permissions:
+                    for resource, actions in permissions.items():
+                        user_actions_for_resource = user.permissions.get(resource, [])
+                        if not all([a in user_actions_for_resource for a in actions]):
+                            user = None
+                            break
+            else:
+                # "noauth" or "token" authentication
+                if frontend_config.collaborative:
+                    if not user and auth_config.mode == "noauth":
+                        user = await create_guest(user_manager)
+                        token = await get_jwt_strategy().write_token(user)
+                        cookie_transport = cast(CookieTransport, cookie_authentication.transport)
+                        cookie_transport._set_login_cookie(response, token)
+
+                    elif not user and auth_config.mode == "token":
+                        global_user = await user_manager.get_by_email(auth_config.global_email)
+                        if global_user and global_user.username == token:
+                            user = await create_guest(user_manager)
+                            token = await get_jwt_strategy().write_token(user)
+                            cookie_transport = cast(
+                                CookieTransport, cookie_authentication.transport
+                            )
+                            cookie_transport._set_login_cookie(response, token)
+                else:
+                    if auth_config.mode == "token":
+                        global_user = await user_manager.get_by_email(auth_config.global_email)
+                        if global_user and global_user.username == token:
+                            user = global_user
+                            token = await get_jwt_strategy().write_token(user)
+                            cookie_transport = cast(
+                                CookieTransport, cookie_authentication.transport
+                            )
+                            cookie_transport._set_login_cookie(response, token)
+
+            if user:
+                return user
+
+            elif auth_config.login_url:
+                raise RedirectException(auth_config.login_url)
+
+            else:
+                raise HTTPException(status_code=status.HTTP_403_FORBIDDEN)
+
+        return _
+
+    def websocket_auth(permissions: dict[str, list[str]] | None = None):
+        """
+        A function returning a dependency for the WebSocket connection.
+
+        :param permissions: the permissions the user should be granted access to. The user should
+        have access to at least one of them for the WebSocket to be opened.
+        :returns: a dependency for the WebSocket connection. The dependency returns a tuple
+        consisting of the websocket and the checked user permissions if the websocket is accepted,
+        None otherwise.
+        """
+
+        async def _(
+            websocket: WebSocket,
+            user_manager: BaseUserManager[models.UP, models.ID] = Depends(get_user_manager),
+        ) -> tuple[WebSocket, dict[str, list[str]] | None] | None:
+            accept_websocket = False
+            checked_permissions: dict[str, list[str]] | None = None
+            if auth_config.mode == "noauth":
+                accept_websocket = True
+            elif "fastapiusersauth" in websocket._cookies:
+                token = websocket._cookies["fastapiusersauth"]
+                user = await get_jwt_strategy().read_token(token, user_manager)
+                if user:
+                    if auth_config.mode == "user":
+                        # "user" authentication: check authorization
+                        if permissions is None:
+                            accept_websocket = True
+                        else:
+                            checked_permissions = {}
+                            for resource, actions in permissions.items():
+                                user_actions_for_resource = user.permissions.get(resource)
+                                if user_actions_for_resource is None:
+                                    continue
+                                allowed = checked_permissions[resource] = []
+                                for action in actions:
+                                    if action in user_actions_for_resource:
+                                        allowed.append(action)
+                                        accept_websocket = True
+                    else:
+                        accept_websocket = True
+            if accept_websocket:
+                return websocket, checked_permissions
+            else:
+                await websocket.close(code=status.WS_1008_POLICY_VIOLATION)
+                return None
+
+        return _
+
+    async def update_user(
+        user: UserRead = Depends(current_user()),
+        user_db: SQLAlchemyUserDatabase = Depends(db.get_user_db),
+    ):
+        async def _(data: dict[str, Any]) -> UserRead:
+            await user_db.update(user, data)
+            return user
+
+        return _
+
+    return Res(
+        cookie_authentication=cookie_authentication,
+        current_user=current_user,
+        update_user=update_user,
+        fapi_users=fapi_users,
+        get_user_manager=get_user_manager,
+        github_authentication=github_authentication,
+        github_cookie_authentication=github_cookie_authentication,
+        websocket_auth=websocket_auth,
+    )

fps_auth-0.9.5/src/fps_auth/config.py

@@ -0,0 +1,18 @@
+from uuid import uuid4
+
+from jupyverse_api.auth import AuthConfig
+
+
+class _AuthConfig(AuthConfig):
+    client_id: str = ""
+    client_secret: str = ""
+    redirect_uri: str = ""
+    # mode: Literal["noauth", "token", "user"] = "token"
+    mode: str = "token"
+    token: str = uuid4().hex
+    global_email: str = "guest@jupyter.com"
+    cookie_secure: bool = False  # FIXME: should default to True, and set to False for tests
+    clear_users: bool = False
+    test: bool = False
+    login_url: str | None = None
+    directory: str | None = None

fps_auth-0.9.5/src/fps_auth/db.py

@@ -0,0 +1,102 @@
+import secrets
+from collections.abc import AsyncGenerator
+from dataclasses import dataclass
+from pathlib import Path
+from typing import Any
+
+from fastapi import Depends
+from fastapi_users.db import (
+    SQLAlchemyBaseOAuthAccountTableUUID,
+    SQLAlchemyBaseUserTableUUID,
+    SQLAlchemyUserDatabase,
+)
+from sqlalchemy import JSON, Boolean, Column, String, Text
+from sqlalchemy.ext.asyncio import AsyncAttrs, AsyncSession, async_sessionmaker, create_async_engine
+from sqlalchemy.orm import DeclarativeBase, Mapped, relationship
+
+from .config import _AuthConfig
+
+
+class Base(AsyncAttrs, DeclarativeBase):
+    pass
+
+
+class OAuthAccount(SQLAlchemyBaseOAuthAccountTableUUID, Base):
+    pass
+
+
+class User(SQLAlchemyBaseUserTableUUID, Base):
+    anonymous = Column(Boolean, default=True, nullable=False)
+    username = Column(String(length=32), nullable=False, unique=True)
+    name = Column(String(length=32), default="")
+    display_name = Column(String(length=32), default="")
+    initials = Column(String(length=8), nullable=True)
+    color = Column(String(length=32), nullable=True)
+    avatar_url = Column(String(length=32), nullable=True)
+    workspace = Column(Text(), default="{}", nullable=False)
+    settings = Column(Text(), default="{}", nullable=False)
+    permissions = Column(JSON, default={}, nullable=False)
+    oauth_accounts: Mapped[list[OAuthAccount]] = relationship("OAuthAccount", lazy="joined")
+
+
+@dataclass
+class Res:
+    User: Any
+    async_session_maker: Any
+    create_db_and_tables: Any
+    get_async_session: Any
+    get_user_db: Any
+    secret: Any
+
+
+def get_db(auth_config: _AuthConfig) -> Res:
+    jupyter_dir = (
+        Path.home() / ".local" / "share" / "jupyter"
+        if auth_config.directory is None
+        else Path(auth_config.directory)
+    )
+    jupyter_dir.mkdir(parents=True, exist_ok=True)
+    name = "jupyverse"
+    if auth_config.test:
+        name += "_test"
+    secret_path = jupyter_dir / f"{name}_secret"
+    userdb_path = jupyter_dir / f"{name}_users.db"
+
+    if auth_config.clear_users:
+        if userdb_path.is_file():
+            userdb_path.unlink()
+        if secret_path.is_file():
+            secret_path.unlink()
+    if auth_config.mode == "token":
+        if secret_path.is_file():
+            secret_path.unlink()
+
+    if not secret_path.is_file():
+        secret_path.write_text(secrets.token_hex(32))
+
+    secret = secret_path.read_text()
+
+    database_url = f"sqlite+aiosqlite:///{userdb_path}"
+
+    engine = create_async_engine(database_url)
+    async_session_maker = async_sessionmaker(engine, expire_on_commit=False)
+
+    async def create_db_and_tables():
+        async with engine.begin() as conn:
+            await conn.run_sync(Base.metadata.create_all)
+
+    async def get_async_session() -> AsyncGenerator[AsyncSession, None]:
+        async with async_session_maker() as session:
+            yield session
+
+    async def get_user_db(session: AsyncSession = Depends(get_async_session)):
+        yield SQLAlchemyUserDatabase(session, User, OAuthAccount)
+
+    return Res(
+        User=User,
+        async_session_maker=async_session_maker,
+        create_db_and_tables=create_db_and_tables,
+        get_async_session=get_async_session,
+        get_user_db=get_user_db,
+        secret=secret,
+    )

fps_auth-0.9.5/src/fps_auth/main.py

@@ -0,0 +1,59 @@
+import structlog
+from fastapi_users.exceptions import UserAlreadyExists
+from fps import Module
+from jupyverse_api.app import App
+from jupyverse_api.auth import Auth, AuthConfig
+from jupyverse_api.frontend import FrontendConfig
+from jupyverse_api.main import QueryParams
+
+from .config import _AuthConfig
+from .routes import auth_factory
+
+log = structlog.get_logger()
+
+
+class AuthModule(Module):
+    def __init__(self, name: str, **kwargs):
+        super().__init__(name)
+        self.config = _AuthConfig(**kwargs)
+
+    async def prepare(self) -> None:
+        self.put(self.config, AuthConfig)
+
+        app = await self.get(App)
+        frontend_config = await self.get(FrontendConfig)
+
+        auth = auth_factory(app, self.config, frontend_config)
+        self.put(auth, Auth)
+
+        await auth.db.create_db_and_tables()
+
+        if self.config.test:
+            try:
+                await auth.create_user(
+                    username="admin@jupyter.com",
+                    email="admin@jupyter.com",
+                    password="jupyverse",
+                    permissions={"admin": ["read", "write"]},
+                )
+            except UserAlreadyExists:
+                pass
+
+        try:
+            await auth.create_user(
+                username=self.config.token,
+                email=self.config.global_email,
+                password="",
+                permissions={},
+            )
+        except UserAlreadyExists:
+            global_user = await auth.get_user_by_email(self.config.global_email)
+            await auth._update_user(
+                global_user,
+                username=self.config.token,
+                permissions={},
+            )
+
+        if self.config.mode == "token":
+            query_params = await self.get(QueryParams)
+            query_params.d["token"] = self.config.token

fps_auth-0.9.5/src/fps_auth/models.py

@@ -0,0 +1,21 @@
+import uuid
+
+from fastapi_users import schemas
+from jupyverse_api.auth import User
+
+
+class JupyterUser(User):
+    anonymous: bool = True
+    permissions: dict[str, list[str]]
+
+
+class UserRead(schemas.BaseUser[uuid.UUID], JupyterUser):
+    pass
+
+
+class UserCreate(schemas.BaseUserCreate, JupyterUser):
+    pass
+
+
+class UserUpdate(schemas.BaseUserUpdate, JupyterUser):
+    pass

fps_auth-0.9.5/src/fps_auth/routes.py

@@ -0,0 +1,255 @@
+import contextlib
+import json
+import random
+from collections.abc import Awaitable, Callable
+from typing import Any
+
+from fastapi import APIRouter, Depends
+from jupyverse_api.app import App
+from jupyverse_api.auth import Auth
+from jupyverse_api.frontend import FrontendConfig
+from sqlalchemy import select  # type: ignore
+
+from jupyverse_api import Router
+
+from .backends import get_backend
+from .config import _AuthConfig
+from .db import get_db
+from .models import UserCreate, UserRead, UserUpdate
+
+
+def auth_factory(
+    app: App,
+    auth_config: _AuthConfig,
+    frontend_config: FrontendConfig,
+):
+    db = get_db(auth_config)
+    backend = get_backend(auth_config, frontend_config, db)
+
+    get_async_session_context = contextlib.asynccontextmanager(db.get_async_session)
+    get_user_db_context = contextlib.asynccontextmanager(db.get_user_db)
+    get_user_manager_context = contextlib.asynccontextmanager(backend.get_user_manager)
+
+    @contextlib.asynccontextmanager
+    async def _get_user_manager():
+        async with get_async_session_context() as session:
+            async with get_user_db_context(session) as user_db:
+                async with get_user_manager_context(user_db) as user_manager:
+                    yield user_manager
+
+    async def create_user(**kwargs):
+        async with _get_user_manager() as user_manager:
+            await user_manager.create(UserCreate(**kwargs))
+
+    async def update_user(user, **kwargs):
+        async with _get_user_manager() as user_manager:
+            await user_manager.update(UserUpdate(**kwargs), user)
+
+    async def get_user_by_email(user_email):
+        async with _get_user_manager() as user_manager:
+            return await user_manager.get_by_email(user_email)
+
+    class _Auth(Auth, Router):
+        def __init__(self) -> None:
+            super().__init__(app)
+
+            self.db = db
+
+            router = APIRouter()
+
+            @router.get("/auth/users")
+            async def get_users(
+                user: UserRead = Depends(backend.current_user(permissions={"admin": ["read"]})),
+            ):
+                async with db.async_session_maker() as session:
+                    statement = select(db.User)
+                    users = (await session.execute(statement)).unique().all()
+                return [usr.User for usr in users if usr.User.is_active]
+
+            @router.get("/api/me")
+            async def get_api_me(
+                permissions: str | None = None,
+                user: UserRead = Depends(backend.current_user()),
+                update_user=Depends(backend.update_user),
+            ):
+                checked_permissions: dict[str, list[str]] = {}
+                if permissions is None:
+                    permissions = "{}"
+                else:
+                    permissions = permissions.replace("'", '"')
+                permissions_dict = json.loads(permissions)
+                if permissions_dict:
+                    user_permissions = user.permissions
+                    for resource, actions in permissions_dict.items():
+                        user_resource_permissions = user_permissions.get(resource)
+                        if user_resource_permissions is None:
+                            continue
+                        allowed = checked_permissions[resource] = []
+                        for action in actions:
+                            if action in user_resource_permissions:
+                                allowed.append(action)
+
+                keys = ["username", "name", "display_name", "initials", "avatar_url", "color"]
+                identity = {k: getattr(user, k) for k in keys}
+                if not identity["name"] and not identity["display_name"]:
+                    moon = get_anonymous_username()
+                    identity["name"] = f"Anonymous {moon}"
+                    identity["display_name"] = f"Anonymous {moon}"
+                    identity["initials"] = f"A{moon[0]}"
+                    await update_user(
+                        dict(
+                            name=identity["name"],
+                            display_name=identity["display_name"],
+                            permissions=checked_permissions,
+                        )
+                    )
+                return {
+                    "identity": identity,
+                    "permissions": checked_permissions,
+                }
+
+            # redefine GET /me because we want our current_user dependency
+            # it is first defined in users_router and so it wins over the one in
+            # fapi_users.get_users_router
+            users_router = APIRouter()
+
+            @users_router.get("/me")
+            async def get_me(
+                user: UserRead = Depends(backend.current_user(permissions={"admin": ["read"]})),
+            ):
+                return user
+
+            users_router.include_router(backend.fapi_users.get_users_router(UserRead, UserUpdate))
+
+            # Cookie based auth login and logout
+            self.include_router(
+                backend.fapi_users.get_auth_router(backend.cookie_authentication), prefix="/auth"
+            )
+            self.include_router(
+                backend.fapi_users.get_register_router(UserRead, UserCreate),
+                prefix="/auth",
+                dependencies=[Depends(backend.current_user(permissions={"admin": ["write"]}))],
+            )
+            self.include_router(users_router, prefix="/auth/user")
+
+            # GitHub OAuth register router
+            self.include_router(
+                backend.fapi_users.get_oauth_router(
+                    backend.github_authentication, backend.github_cookie_authentication, db.secret
+                ),
+                prefix="/auth/github",
+            )
+            self.include_router(router)
+
+            self.create_user = create_user
+            self.__update_user = update_user
+            self.get_user_by_email = get_user_by_email
+
+        async def _update_user(self, user, **kwargs):
+            return await self.__update_user(user, **kwargs)
+
+        def current_user(self, permissions: dict[str, list[str]] | None = None) -> Callable:
+            return backend.current_user(permissions)
+
+        async def update_user(self, update_user=Depends(backend.update_user)) -> Callable:
+            return update_user
+
+        def websocket_auth(
+            self,
+            permissions: dict[str, list[str]] | None = None,
+        ) -> Callable[[Any], Awaitable[tuple[Any, dict[str, list[str]] | None] | None]]:
+            return backend.websocket_auth(permissions)
+
+    return _Auth()
+
+
+# From https://en.wikipedia.org/wiki/Moons_of_Jupiter
+moons_of_jupyter = (
+    "Metis",
+    "Adrastea",
+    "Amalthea",
+    "Thebe",
+    "Io",
+    "Europa",
+    "Ganymede",
+    "Callisto",
+    "Themisto",
+    "Leda",
+    "Ersa",
+    "Pandia",
+    "Himalia",
+    "Lysithea",
+    "Elara",
+    "Dia",
+    "Carpo",
+    "Valetudo",
+    "Euporie",
+    "Eupheme",
+    # 'S/2003 J 18',
+    # 'S/2010 J 2',
+    "Helike",
+    # 'S/2003 J 16',
+    # 'S/2003 J 2',
+    "Euanthe",
+    # 'S/2017 J 7',
+    "Hermippe",
+    "Praxidike",
+    "Thyone",
+    "Thelxinoe",
+    # 'S/2017 J 3',
+    "Ananke",
+    "Mneme",
+    # 'S/2016 J 1',
+    "Orthosie",
+    "Harpalyke",
+    "Iocaste",
+    # 'S/2017 J 9',
+    # 'S/2003 J 12',
+    # 'S/2003 J 4',
+    "Erinome",
+    "Aitne",
+    "Herse",
+    "Taygete",
+    # 'S/2017 J 2',
+    # 'S/2017 J 6',
+    "Eukelade",
+    "Carme",
+    # 'S/2003 J 19',
+    "Isonoe",
+    # 'S/2003 J 10',
+    "Autonoe",
+    "Philophrosyne",
+    "Cyllene",
+    "Pasithee",
+    # 'S/2010 J 1',
+    "Pasiphae",
+    "Sponde",
+    # 'S/2017 J 8',
+    "Eurydome",
+    # 'S/2017 J 5',
+    "Kalyke",
+    "Hegemone",
+    "Kale",
+    "Kallichore",
+    # 'S/2011 J 1',
+    # 'S/2017 J 1',
+    "Chaldene",
+    "Arche",
+    "Eirene",
+    "Kore",
+    # 'S/2011 J 2',
+    # 'S/2003 J 9',
+    "Megaclite",
+    "Aoede",
+    # 'S/2003 J 23',
+    "Callirrhoe",
+    "Sinope",
+)
+
+
+def get_anonymous_username() -> str:
+    """
+    Get a random user-name based on the moons of Jupyter.
+    This function returns names like "Anonymous Io" or "Anonymous Metis".
+    """
+    return moons_of_jupyter[random.randint(0, len(moons_of_jupyter) - 1)]