plain.auth 0.19.0__tar.gz → 0.20.0__tar.gz

{plain_auth-0.19.0 → plain_auth-0.20.0}/.gitignore

@@ -16,3 +16,4 @@ plain*/tests/.plain
 
 .vscode
 /.claude
+/.benchmarks

{plain_auth-0.19.0 → plain_auth-0.20.0}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: plain.auth
-Version: 0.19.0
+Version: 0.20.0
 Summary: Add users to your app and decide what they can access.
 Author-email: Dave Gaeddert <dave.gaeddert@dropseed.dev>
 License-File: LICENSE
@@ -64,7 +64,6 @@ INSTALLED_PACKAGES = [
 
 MIDDLEWARE = [
     "plain.sessions.middleware.SessionMiddleware",
-    "plain.auth.middleware.AuthenticationMiddleware",
 ]
 
 AUTH_USER_MODEL = "users.User"

{plain_auth-0.19.0 → plain_auth-0.20.0}/plain/auth/CHANGELOG.md

@@ -1,5 +1,21 @@
 # plain-auth changelog
 
+## [0.20.0](https://github.com/dropseed/plain/releases/plain-auth@0.20.0) (2025-10-02)
+
+### What's changed
+
+- Removed `AuthenticationMiddleware` - authentication is now handled through request-based functions instead of middleware ([154ee10](https://github.com/dropseed/plain/commit/154ee10))
+- Replaced `request.user` attribute with `get_request_user(request)` function and `{{ get_current_user() }}` template global ([154ee10](https://github.com/dropseed/plain/commit/154ee10))
+- `AuthViewMixin` now provides a `self.user` property for accessing the authenticated user in views ([154ee10](https://github.com/dropseed/plain/commit/154ee10))
+- Renamed `get_user` to `get_request_user` in the public API ([154ee10](https://github.com/dropseed/plain/commit/154ee10))
+
+### Upgrade instructions
+
+- Remove `plain.auth.middleware.AuthenticationMiddleware` from your `MIDDLEWARE` setting
+- In views, use `AuthViewMixin` for access to `self.user` instead of `self.request.user`
+- Replace `request.user` with `get_request_user(request)` in code outside of `AuthViewMixin` views
+- In templates, replace `{{ request.user }}` with `{{ user }}` (from `AuthViewMixin`) or with `{{ get_current_user() }}`
+
 ## [0.19.0](https://github.com/dropseed/plain/releases/plain-auth@0.19.0) (2025-09-30)
 
 ### What's changed

{plain_auth-0.19.0 → plain_auth-0.20.0}/plain/auth/README.md

@@ -52,7 +52,6 @@ INSTALLED_PACKAGES = [
 
 MIDDLEWARE = [
     "plain.sessions.middleware.SessionMiddleware",
-    "plain.auth.middleware.AuthenticationMiddleware",
 ]
 
 AUTH_USER_MODEL = "users.User"

plain_auth-0.20.0/plain/auth/__init__.py

@@ -0,0 +1,9 @@
+from .requests import get_request_user
+from .sessions import get_user_model, login, logout
+
+__all__ = [
+    "login",
+    "logout",
+    "get_user_model",
+    "get_request_user",
+]

plain_auth-0.20.0/plain/auth/requests.py

@@ -0,0 +1,38 @@
+from __future__ import annotations
+
+from typing import TYPE_CHECKING
+from weakref import WeakKeyDictionary
+
+if TYPE_CHECKING:
+    from plain.http import Request
+
+    from .sessions import get_user_model
+
+    User = get_user_model()
+
+_request_users: WeakKeyDictionary[Request, User | None] = WeakKeyDictionary()
+
+
+def set_request_user(request: Request, user: User | None) -> None:
+    """Store the authenticated user for this request."""
+    _request_users[request] = user
+
+
+def get_request_user(request: Request) -> User | None:
+    """
+    Get the authenticated user for this request, if any.
+
+    Lazily loads the user from the session on first access.
+    """
+    if request not in _request_users:
+        from .sessions import get_user
+
+        user = get_user(request)
+
+        # Don't need to store a bunch of None values
+        if not user:
+            return None
+
+        _request_users[request] = user
+
+    return _request_users[request]

{plain_auth-0.19.0 → plain_auth-0.20.0}/plain/auth/sessions.py

@@ -3,9 +3,12 @@ import hmac
 from plain.exceptions import ImproperlyConfigured
 from plain.models import models_registry
 from plain.runtime import settings
+from plain.sessions import get_request_session
 from plain.utils.crypto import salted_hmac
 from plain.utils.encoding import force_bytes
 
+from .requests import get_request_user, set_request_user
+
 USER_ID_SESSION_KEY = "_auth_user_id"
 USER_HASH_SESSION_KEY = "_auth_user_hash"
 
@@ -26,9 +29,11 @@ def update_session_auth_hash(request, user):
     prevent a password change from logging out the session from which the
     password was changed.
     """
-    request.session.cycle_key()
-    if request.user == user:
-        request.session[USER_HASH_SESSION_KEY] = get_session_auth_hash(user)
+
+    session = get_request_session(request)
+    session.cycle_key()
+    if get_request_user(request) == user:
+        session[USER_HASH_SESSION_KEY] = get_session_auth_hash(user)
 
 
 def get_session_auth_fallback_hash(user):
@@ -52,33 +57,34 @@ def login(request, user):
     have to reauthenticate on every request. Note that data set during
     the anonymous session is retained when the user logs in.
     """
+    session = get_request_session(request)
+
     if settings.AUTH_USER_SESSION_HASH_FIELD:
         session_auth_hash = get_session_auth_hash(user)
     else:
         session_auth_hash = ""
 
-    if USER_ID_SESSION_KEY in request.session:
-        if int(request.session[USER_ID_SESSION_KEY]) != user.id:
+    if USER_ID_SESSION_KEY in session:
+        if int(session[USER_ID_SESSION_KEY]) != user.id:
             # To avoid reusing another user's session, create a new, empty
             # session if the existing session corresponds to a different
             # authenticated user.
-            request.session.flush()
+            session.flush()
         elif session_auth_hash and not hmac.compare_digest(
-            force_bytes(request.session.get(USER_HASH_SESSION_KEY, "")),
+            force_bytes(session.get(USER_HASH_SESSION_KEY, "")),
             force_bytes(session_auth_hash),
         ):
             # If the session hash does not match the current hash, reset the
             # session. Most likely this means the password was changed.
-            request.session.flush()
+            session.flush()
     else:
         # Invalidate the current session key and generate a new one to enhance security,
         # typically done after user login to prevent session fixation attacks.
-        request.session.cycle_key()
+        session.cycle_key()
 
-    request.session[USER_ID_SESSION_KEY] = user.id
-    request.session[USER_HASH_SESSION_KEY] = session_auth_hash
-    if hasattr(request, "user"):
-        request.user = user
+    session[USER_ID_SESSION_KEY] = user.id
+    session[USER_HASH_SESSION_KEY] = session_auth_hash
+    set_request_user(request, user)
 
 
 def logout(request):
@@ -88,9 +94,9 @@ def logout(request):
     """
     # Dispatch the signal before the user is logged out so the receivers have a
     # chance to find out *who* logged out.
-    request.session.flush()
-    if hasattr(request, "user"):
-        request.user = None
+    session = get_request_session(request)
+    session.flush()
+    set_request_user(request, None)
 
 
 def get_user_model():
@@ -114,12 +120,14 @@ def get_user(request):
     Return the user model instance associated with the given request session.
     If no user is retrieved, return None.
     """
-    if USER_ID_SESSION_KEY not in request.session:
+    session = get_request_session(request)
+
+    if USER_ID_SESSION_KEY not in session:
         return None
 
     UserModel = get_user_model()
     try:
-        user = UserModel.query.get(id=request.session[USER_ID_SESSION_KEY])
+        user = UserModel.query.get(id=session[USER_ID_SESSION_KEY])
     except UserModel.DoesNotExist:
         return None
 
@@ -130,7 +138,7 @@ def get_user(request):
     # If it has changed (i.e. password changed), then the session
     # is no longer valid and cleared out.
     if settings.AUTH_USER_SESSION_HASH_FIELD:
-        session_hash = request.session.get(USER_HASH_SESSION_KEY)
+        session_hash = session.get(USER_HASH_SESSION_KEY)
         if not session_hash:
             session_hash_verified = False
         else:
@@ -148,10 +156,10 @@ def get_user(request):
                 )
                 for fallback_auth_hash in get_session_auth_fallback_hash(user)
             ):
-                request.session.cycle_key()
-                request.session[USER_HASH_SESSION_KEY] = session_auth_hash
+                session.cycle_key()
+                session[USER_HASH_SESSION_KEY] = session_auth_hash
             else:
-                request.session.flush()
+                session.flush()
                 user = None
 
     return user

plain_auth-0.20.0/plain/auth/templates.py

@@ -0,0 +1,14 @@
+from jinja2 import pass_context
+
+from plain.templates import register_template_global
+
+from .requests import get_request_user
+
+
+@register_template_global
+@pass_context
+def get_current_user(context):
+    """Get the authenticated user for the current request."""
+    request = context.get("request")
+    assert request is not None, "No request in template context"
+    return get_request_user(request)

{plain_auth-0.19.0 → plain_auth-0.20.0}/plain/auth/test.py

@@ -3,7 +3,9 @@ from http.cookies import SimpleCookie
 from plain.http.request import Request
 from plain.runtime import settings
 from plain.sessions import SessionStore
+from plain.sessions.requests import get_request_session, set_request_session
 
+from .requests import set_request_user
 from .sessions import get_user, login, logout
 
 
@@ -11,13 +13,15 @@ def login_client(client, user):
     """Log a user into a test client."""
     request = Request()
     if client.session:
-        request.session = client.session
+        session = client.session
     else:
-        request.session = SessionStore()
+        session = SessionStore()
+    set_request_session(request, session)
     login(request, user)
-    request.session.save()
+    session = get_request_session(request)
+    session.save()
     session_cookie = settings.SESSION_COOKIE_NAME
-    client.cookies[session_cookie] = request.session.session_key
+    client.cookies[session_cookie] = session.session_key
     cookie_data = {
         "max-age": None,
         "path": "/",
@@ -32,9 +36,12 @@ def logout_client(client):
     """Log out a user from a test client."""
     request = Request()
     if client.session:
-        request.session = client.session
-        request.user = get_user(request)
+        session = client.session
+        set_request_session(request, session)
+        user = get_user(request)
+        set_request_user(request, user)
     else:
-        request.session = SessionStore()
+        session = SessionStore()
+        set_request_session(request, session)
     logout(request)
     client.cookies = SimpleCookie()

{plain_auth-0.19.0 → plain_auth-0.20.0}/plain/auth/views.py

@@ -1,3 +1,7 @@
+from __future__ import annotations
+
+from functools import cached_property
+from typing import TYPE_CHECKING
 from urllib.parse import urlparse, urlunparse
 
 from plain.exceptions import PermissionDenied
@@ -8,6 +12,7 @@ from plain.http import (
     ResponseRedirect,
 )
 from plain.runtime import settings
+from plain.sessions.views import SessionViewMixin
 from plain.urls import reverse
 from plain.utils.cache import patch_cache_control
 from plain.views import View
@@ -15,6 +20,13 @@ from plain.views import View
 from .sessions import logout
 from .utils import resolve_url
 
+if TYPE_CHECKING:
+    from plain.http import Request
+
+    from .sessions import get_user_model
+
+    User = get_user_model()
+
 
 class LoginRequired(Exception):
     def __init__(self, login_url=None, redirect_field_name="next"):
@@ -22,43 +34,53 @@ class LoginRequired(Exception):
         self.redirect_field_name = redirect_field_name
 
 
-class AuthViewMixin:
-    login_required = True
-    admin_required = False
+class AuthViewMixin(SessionViewMixin):
+    login_required = False
+    admin_required = False  # Implies login_required
     login_url = settings.AUTH_LOGIN_URL
 
+    request: Request
+
+    @cached_property
+    def user(self) -> User | None:
+        """Get the authenticated user for this request."""
+        from .requests import get_request_user
+
+        return get_request_user(self.request)
+
+    def get_template_context(self) -> dict:
+        """Add user and impersonator to template context."""
+        context = super().get_template_context()
+        context["user"] = self.user
+        return context
+
     def check_auth(self) -> None:
         """
         Raises either LoginRequired or PermissionDenied.
         - LoginRequired can specify a login_url and redirect_field_name
         - PermissionDenied can specify a message
         """
+        if not self.login_required and not self.admin_required:
+            return None
 
-        if not hasattr(self, "request"):
-            raise AttributeError(
-                "AuthViewMixin requires the request attribute to be set."
-            )
-
-        if self.login_required and not self.request.user:
+        if not self.user:
             raise LoginRequired(login_url=self.login_url)
 
-        if impersonator := getattr(self.request, "impersonator", None):
-            # Impersonators should be able to view admin pages while impersonating.
-            # There's probably never a case where an impersonator isn't admin, but it can be configured.
-            if self.admin_required and not impersonator.is_admin:
-                raise PermissionDenied(
-                    "You do not have permission to access this page."
-                )
-        elif self.admin_required and not self.request.user.is_admin:
-            # Show a 404 so we don't expose admin urls to non-admin users
-            raise Http404()
+        if self.admin_required:
+            # At this point, we know user is authenticated (from check above)
+            # Check if impersonation is active
+            if impersonator := getattr(self, "impersonator", None):
+                # Impersonators should be able to view admin pages while impersonating.
+                # There's probably never a case where an impersonator isn't admin, but it can be configured.
+                if not impersonator.is_admin:
+                    raise PermissionDenied(
+                        "You do not have permission to access this page."
+                    )
+            elif not self.user.is_admin:
+                # Show a 404 so we don't expose admin urls to non-admin users
+                raise Http404()
 
     def get_response(self) -> Response:
-        if not hasattr(self, "request"):
-            raise AttributeError(
-                "AuthViewMixin requires the request attribute to be set."
-            )
-
         try:
             self.check_auth()
         except LoginRequired as e:
@@ -85,8 +107,11 @@ class AuthViewMixin:
                 raise PermissionDenied("Login required")
 
         response = super().get_response()
-        # Make sure it at least has private as a default
-        patch_cache_control(response, private=True)
+
+        if self.user:
+            # Make sure it at least has private as a default
+            patch_cache_control(response, private=True)
+
         return response
 
 

{plain_auth-0.19.0 → plain_auth-0.20.0}/pyproject.toml

@@ -1,6 +1,6 @@
 [project]
 name = "plain.auth"
-version = "0.19.0"
+version = "0.20.0"
 description = "Add users to your app and decide what they can access."
 authors = [{name = "Dave Gaeddert", email = "dave.gaeddert@dropseed.dev"}]
 readme = "README.md"

{plain_auth-0.19.0 → plain_auth-0.20.0}/tests/app/settings.py

@@ -8,7 +8,6 @@ INSTALLED_PACKAGES = [
 ]
 MIDDLEWARE = [
     "plain.sessions.middleware.SessionMiddleware",
-    "plain.auth.middleware.AuthenticationMiddleware",
 ]
 AUTH_LOGIN_URL = "login"
 AUTH_USER_MODEL = "users.User"

{plain_auth-0.19.0 → plain_auth-0.20.0}/tests/app/urls.py

@@ -9,12 +9,14 @@ class LoginView(View):
 
 
 class ProtectedView(AuthViewMixin, View):
+    login_required = True
+
     def get(self):
         return "protected"
 
 
 class OpenView(AuthViewMixin, View):
-    login_required = False
+    # login_required = False
 
     def get(self):
         return "open"
@@ -28,6 +30,7 @@ class AdminView(AuthViewMixin, View):
 
 
 class NoLoginUrlView(AuthViewMixin, View):
+    login_required = True
     login_url = None
 
     def get(self):

{plain_auth-0.19.0 → plain_auth-0.20.0}/tests/test_views.py

@@ -14,7 +14,7 @@ def test_view_without_login_required(db):
     response = client.get("/open/")
     assert response.status_code == 200
     assert response.content == b"open"
-    assert response.headers["Cache-Control"] == "private"
+    assert "Cache-Control" not in response.headers
 
 
 def test_admin_required(db):
@@ -33,6 +33,7 @@ def test_admin_required(db):
     resp = client.get("/admin/")
     assert resp.status_code == 200
     assert resp.content == b"admin"
+    assert resp.headers["Cache-Control"] == "private"
 
 
 def test_no_login_url_forbidden(db):

plain_auth-0.19.0/plain/auth/__init__.py

@@ -1,8 +0,0 @@
-from .sessions import get_user, get_user_model, login, logout
-
-__all__ = [
-    "login",
-    "logout",
-    "get_user_model",
-    "get_user",
-]

plain_auth-0.19.0/plain/auth/middleware.py

@@ -1,33 +0,0 @@
-from opentelemetry import trace
-from opentelemetry.semconv._incubating.attributes.user_attributes import USER_ID
-
-from plain import auth
-from plain.exceptions import ImproperlyConfigured
-from plain.utils.functional import SimpleLazyObject
-
-
-def get_user(request):
-    if not hasattr(request, "_cached_user"):
-        request._cached_user = auth.get_user(request)
-        if request._cached_user:
-            trace.get_current_span().set_attribute(USER_ID, request._cached_user.id)
-    return request._cached_user
-
-
-class AuthenticationMiddleware:
-    def __init__(self, get_response):
-        self.get_response = get_response
-
-    def __call__(self, request):
-        if not hasattr(request, "session"):
-            raise ImproperlyConfigured(
-                "The Plain authentication middleware requires session "
-                "middleware to be installed. Edit your MIDDLEWARE setting to "
-                "insert "
-                "'plain.sessions.middleware.SessionMiddleware' before "
-                "'plain.auth.middleware.AuthenticationMiddleware'."
-            )
-
-        request.user = SimpleLazyObject(lambda: get_user(request))
-
-        return self.get_response(request)