PyPI - quart-httpauth - Versions diffs - 0.0.1__py3-none-any.whl - Mend

quart-httpauth 0.0.1__py3-none-any.whl

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

quart_httpauth/__init__.py +643 -0
quart_httpauth/py.typed +0 -0
quart_httpauth-0.0.1.dist-info/METADATA +167 -0
quart_httpauth-0.0.1.dist-info/RECORD +6 -0
quart_httpauth-0.0.1.dist-info/WHEEL +4 -0
quart_httpauth-0.0.1.dist-info/licenses/LICENSE +21 -0

quart_httpauth/__init__.py ADDED Viewed

@@ -0,0 +1,643 @@
+"""Basic, Digest and Token HTTP authentication for Quart routes.
+``quart_httpauth`` is an async-native port of Flask-HTTPAuth_. The public API —
+class names, constructor arguments, decorator names, and callback contracts — is
+preserved, so existing Flask-HTTPAuth code transfers by switching the ``flask``
+imports to ``quart`` and the ``flask_httpauth`` import to ``quart_httpauth``. The
+only intentional behavioural change is that the request pipeline and every user
+callback are awaited; callbacks may be written as either ``def`` or
+``async def``.
+.. _Flask-HTTPAuth: https://github.com/miguelgrinberg/flask-httpauth
+"""
+from __future__ import annotations
+import hmac
+from base64 import b64decode
+from collections.abc import Awaitable
+from functools import wraps
+from hashlib import md5
+from importlib.metadata import PackageNotFoundError, version
+from random import Random, SystemRandom
+from typing import Any, Callable, cast
+from quart import Response, current_app, g, make_response, request, session
+from werkzeug.datastructures import Authorization, Headers
+__all__ = [
+    "HTTPAuth",
+    "HTTPBasicAuth",
+    "HTTPDigestAuth",
+    "HTTPTokenAuth",
+    "HTTPMultiAuth",
+    "MultiAuth",
+]
+try:
+    __version__ = version("quart-httpauth")
+except PackageNotFoundError:  # pragma: no cover - running from an uninstalled tree
+    __version__ = "0.0.0"
+#: A user callback, which may be synchronous or a coroutine function.
+Callback = Callable[..., Any]
+class HTTPAuth:
+    """Base class for the HTTP authentication schemes.
+    This class is effectively abstract: it owns the shared machinery (the
+    ``login_required`` decorator, error handling, header parsing, and role
+    authorization) but delegates credential checking to :meth:`authenticate`,
+    which each concrete subclass implements.
+    """
+    def __init__(
+        self,
+        scheme: str | None = None,
+        realm: str | None = None,
+        header: str | None = None,
+    ) -> None:
+        self.scheme = scheme
+        self.realm = realm or "Authentication Required"
+        self.header = header
+        self.get_password_callback: Callback | None = None
+        self.get_user_roles_callback: Callback | None = None
+        self.auth_error_callback: Callable[..., Awaitable[Response]]
+        def default_get_password(username: str) -> None:
+            return None
+        def default_auth_error(status: int) -> tuple[str, int]:
+            return "Unauthorized Access", status
+        self.get_password(default_get_password)
+        self.error_handler(default_auth_error)
+    def is_compatible_auth(self, headers: Headers) -> bool:
+        """Return whether *headers* carry credentials for this scheme."""
+        if self.header is None or self.header == "Authorization":
+            try:
+                scheme, _ = headers.get("Authorization", "").split(None, 1)
+            except ValueError:
+                # malformed or absent Authorization header
+                return False
+            return scheme == self.scheme
+        return self.header in headers
+    def get_password(self, f: Callback) -> Callback:
+        """Register the callback used to obtain a user's stored password.
+        This is the primary mechanism used by :class:`HTTPDigestAuth`; it is not
+        a credential path for Basic authentication (use
+        :meth:`HTTPBasicAuth.verify_password` instead). Example::
+            @auth.get_password
+            def get_password(username):
+                return db.get_user_password(username)
+        """
+        self.get_password_callback = f
+        return f
+    def get_user_roles(self, f: Callback) -> Callback:
+        """Register the callback that returns the roles assigned to a user.
+        The callback receives the user returned by the verify callback (or, when
+        that callback returned ``True``, the ``Authorization`` object) and
+        returns a role or list of roles. Example::
+            @auth.get_user_roles
+            def get_user_roles(user):
+                return user.get_roles()
+        """
+        self.get_user_roles_callback = f
+        return f
+    def error_handler(self, f: Callback) -> Callable[..., Awaitable[Response]]:
+        """Register the callback that builds authentication error responses.
+        The callback may take one argument (the status code, ``401`` or ``403``)
+        or, for backward compatibility, no arguments. Its return value may be
+        any response type accepted by Quart routes; the framework guarantees a
+        ``WWW-Authenticate`` header is present. Example::
+            @auth.error_handler
+            def auth_error(status):
+                return "Access Denied", status
+        """
+        @wraps(f)
+        async def decorated(*args: Any, **kwargs: Any) -> Response:
+            result = await self.ensure_async(f)(*args, **kwargs)
+            explicit_status = isinstance(result, (tuple, Response))
+            response = cast(Response, await make_response(result))
+            if not explicit_status and response.status_code == 200:
+                # the callback did not set a status code, so default to 401
+                response.status_code = 401
+            if "WWW-Authenticate" not in response.headers:
+                response.headers["WWW-Authenticate"] = await self.authenticate_header()
+            return response
+        self.auth_error_callback = decorated
+        return decorated
+    async def authenticate_header(self) -> str:
+        """Return the value of the ``WWW-Authenticate`` challenge header."""
+        return f'{self.scheme} realm="{self.realm}"'
+    def get_auth(self) -> Authorization | None:
+        """Parse the request's credentials into an ``Authorization`` object."""
+        auth: Authorization | None = None
+        if self.header is None or self.header == "Authorization":
+            auth = request.authorization
+            # Werkzeug < 2.3 only recognizes Basic and Digest, so on older
+            # versions the header is parsed by hand here.
+            if auth is None and "Authorization" in request.headers:  # pragma: no cover
+                try:
+                    auth_type, token = request.headers["Authorization"].split(None, 1)
+                    auth = Authorization(auth_type)
+                    auth.token = token
+                except (ValueError, KeyError):
+                    pass
+        elif self.header in request.headers:
+            # a custom header is used, so its entire value is the token
+            auth = Authorization(self.scheme or "")
+            auth.token = request.headers[self.header]
+        # If the scheme does not match we behave as if there were no auth at
+        # all. This is friendlier than failing outright, as it lets callbacks
+        # handle special cases such as supporting multiple schemes.
+        if auth is not None and auth.type.lower() != (self.scheme or "").lower():
+            auth = None
+        return auth
+    async def get_auth_password(self, auth: Authorization | None) -> Any:
+        """Look up the stored password for the authenticated username."""
+        if auth and auth.username and self.get_password_callback is not None:
+            return await self.ensure_async(self.get_password_callback)(auth.username)
+        return None
+    async def authorize(
+        self,
+        role: Any,
+        user: Any,
+        auth: Authorization | None,
+    ) -> bool | None:
+        """Return whether *user* satisfies the required *role*."""
+        if role is None:
+            return True
+        roles = list(role) if isinstance(role, (list, tuple)) else [role]
+        if user is True:
+            user = auth
+        if self.get_user_roles_callback is None:  # pragma: no cover
+            raise ValueError("get_user_roles callback is not defined")
+        user_roles = await self.ensure_async(self.get_user_roles_callback)(user)
+        if user_roles is None:
+            user_roles = set()
+        elif not isinstance(user_roles, (list, tuple)):
+            user_roles = {user_roles}
+        else:
+            user_roles = set(user_roles)
+        for required in roles:
+            if isinstance(required, (list, tuple)):
+                required = set(required)
+                if required & user_roles == required:
+                    return True
+            elif required in user_roles:
+                return True
+        return None
+    async def authenticate(
+        self, auth: Authorization | None, stored_password: Any
+    ) -> Any:
+        """Verify the request's credentials (implemented by subclasses)."""
+        raise NotImplementedError  # pragma: no cover
+    def login_required(
+        self,
+        f: Callback | None = None,
+        role: Any = None,
+        optional: bool | None = None,
+    ) -> Any:
+        """Protect a view so it only runs after successful authentication.
+        Example::
+            @app.route("/private")
+            @auth.login_required
+            async def private_page():
+                return "Only for authorized people!"
+        Pass ``role`` to require one or more roles, or ``optional=True`` to allow
+        anonymous access (in which case :meth:`current_user` returns ``None``).
+        """
+        if f is not None and (role is not None or optional is not None):
+            raise ValueError(  # pragma: no cover
+                "role and optional are the only supported arguments"
+            )
+        def login_required_internal(f: Callback) -> Callback:
+            @wraps(f)
+            async def decorated(*args: Any, **kwargs: Any) -> Any:
+                auth = self.get_auth()
+                # Quart normally handles OPTIONS requests itself, but if it is
+                # configured to forward them we must ignore the authentication
+                # headers and let the request through, so CORS preflight is
+                # never challenged.
+                if request.method != "OPTIONS":  # pragma: no cover
+                    password = await self.get_auth_password(auth)
+                    status = None
+                    user = await self.authenticate(auth, password)
+                    if user in (False, None):
+                        status = 401
+                    elif not await self.authorize(role, user, auth):
+                        status = 403
+                    if not optional and status:
+                        try:
+                            return await self.auth_error_callback(status)
+                        except TypeError:
+                            return await self.auth_error_callback()
+                    if user is True:
+                        g.quart_httpauth_user = auth.username if auth else None
+                    else:
+                        g.quart_httpauth_user = user
+                return await self.ensure_async(f)(*args, **kwargs)
+            return decorated
+        if f:
+            return login_required_internal(f)
+        return login_required_internal
+    def current_user(self) -> Any:
+        """Return the user resolved by the verify callback, or ``None``.
+        When the verify callback returned ``True`` instead of a user object,
+        this is the username (or token) sent by the client. Example::
+            @app.route("/")
+            @auth.login_required
+            async def index():
+                return f"Hello, {auth.current_user()}!"
+        """
+        return getattr(g, "quart_httpauth_user", None)
+    def ensure_async(self, f: Callback) -> Callable[..., Awaitable[Any]]:
+        """Adapt *f* into an awaitable, whether it is sync or async.
+        Sync callbacks are offloaded to Quart's executor so they do not block
+        the event loop; coroutine functions are returned unchanged.
+        """
+        try:
+            return current_app.ensure_async(f)
+        except AttributeError:  # pragma: no cover - very old Quart
+            return f
+class HTTPBasicAuth(HTTPAuth):
+    """HTTP Basic authentication (RFC 7617).
+    If *scheme* is given it replaces the standard ``Basic`` scheme in the
+    ``WWW-Authenticate`` response; a custom scheme is a common way to stop
+    browsers from showing their built-in login prompt. *realm* sets the
+    application-defined realm advertised in that header.
+    """
+    def __init__(self, scheme: str | None = None, realm: str | None = None) -> None:
+        super().__init__(scheme or "Basic", realm)
+        self.verify_password_callback: Callback | None = None
+    def verify_password(self, f: Callback) -> Callback:
+        """Register the callback that verifies a username and password.
+        The callback receives the username and password and returns the user
+        object on success, ``True`` when there is no user object, or
+        ``None``/``False`` on failure. Example::
+            @auth.verify_password
+            async def verify_password(username, password):
+                user = await User.get(username)
+                if user and user.check_password(password):
+                    return user
+        It is also called for requests without credentials, with both arguments
+        set to empty strings; returning ``True`` there allows anonymous access.
+        """
+        self.verify_password_callback = f
+        return f
+    def get_auth(self) -> Authorization | None:
+        # This parser is more permissive than Werkzeug's: it accepts schemes
+        # other than "Basic" and falls back to latin-1 decoding.
+        header = self.header or "Authorization"
+        if header not in request.headers:
+            return None
+        value = request.headers[header].encode("utf-8")
+        try:
+            scheme, credentials = value.split(b" ", 1)
+            encoded_username, encoded_password = b64decode(credentials).split(b":", 1)
+        except (ValueError, TypeError):
+            return None
+        try:
+            username = encoded_username.decode("utf-8")
+            password = encoded_password.decode("utf-8")
+        except UnicodeDecodeError:
+            # latin-1 always succeeds, so it is a safe fallback
+            username = encoded_username.decode("latin1")
+            password = encoded_password.decode("latin1")
+        return Authorization(
+            scheme.decode("ascii"),
+            {"username": username, "password": password},
+        )
+    async def authenticate(
+        self, auth: Authorization | None, stored_password: Any
+    ) -> Any:
+        if auth:
+            username = auth.username
+            client_password = auth.password
+        else:
+            username = ""
+            client_password = ""
+        if self.verify_password_callback is not None:
+            return await self.ensure_async(self.verify_password_callback)(
+                username, client_password
+            )
+        return None
+class HTTPDigestAuth(HTTPAuth):
+    """HTTP Digest authentication (RFC 7616).
+    If *scheme* is given it replaces the standard ``Digest`` scheme in the
+    challenge, and *realm* sets the advertised realm.
+    When *use_ha1_pw* is ``False`` the :meth:`get_password` callback returns the
+    plaintext password; when it is ``True`` the callback returns the HA1 hash,
+    allowing the application to avoid storing plaintext passwords.
+    *qop* configures the accepted quality-of-protection values (a comma-separated
+    string, a list, or ``None`` to disable); the default is ``auth`` and
+    ``auth-int`` is not implemented. *algorithm* selects ``MD5`` (default) or
+    ``MD5-Sess``.
+    .. note::
+        By default the ``nonce`` and ``opaque`` values are stored in the Quart
+        session. With the default cookie-based sessions these values can leak,
+        so a server-side session backend should be used in production.
+    """
+    def __init__(
+        self,
+        scheme: str | None = None,
+        realm: str | None = None,
+        use_ha1_pw: bool = False,
+        qop: str | list[str] | None = "auth",
+        algorithm: str = "MD5",
+    ) -> None:
+        super().__init__(scheme or "Digest", realm)
+        self.use_ha1_pw = use_ha1_pw
+        if isinstance(qop, str):
+            self.qop = [v.strip() for v in qop.split(",")]
+        else:
+            self.qop = qop or []
+        if algorithm.lower() == "md5":
+            self.algorithm = "MD5"
+        elif algorithm.lower() == "md5-sess":
+            self.algorithm = "MD5-Sess"
+        else:
+            raise ValueError(f"Algorithm {algorithm} is not supported")
+        self.random: SystemRandom | Random = SystemRandom()
+        try:
+            self.random.random()
+        except NotImplementedError:  # pragma: no cover
+            self.random = Random()
+        self.generate_nonce_callback: Callback
+        self.verify_nonce_callback: Callback
+        self.generate_opaque_callback: Callback
+        self.verify_opaque_callback: Callback
+        def generate_random() -> str:
+            return md5(str(self.random.random()).encode("utf-8")).hexdigest()
+        def default_generate_nonce() -> str:
+            session["auth_nonce"] = generate_random()
+            return session["auth_nonce"]
+        def default_verify_nonce(nonce: str | None) -> bool:
+            session_nonce = session.get("auth_nonce")
+            if nonce is None or session_nonce is None:
+                return False
+            return hmac.compare_digest(nonce, session_nonce)
+        def default_generate_opaque() -> str:
+            session["auth_opaque"] = generate_random()
+            return session["auth_opaque"]
+        def default_verify_opaque(opaque: str | None) -> bool:
+            session_opaque = session.get("auth_opaque")
+            if opaque is None or session_opaque is None:  # pragma: no cover
+                return False
+            return hmac.compare_digest(opaque, session_opaque)
+        self.generate_nonce(default_generate_nonce)
+        self.generate_opaque(default_generate_opaque)
+        self.verify_nonce(default_verify_nonce)
+        self.verify_opaque(default_verify_opaque)
+    def generate_nonce(self, f: Callback) -> Callback:
+        """Register the callback that generates a nonce.
+        Defining this (together with :meth:`verify_nonce`) lets the application
+        use a state store other than the session.
+        """
+        self.generate_nonce_callback = f
+        return f
+    def verify_nonce(self, f: Callback) -> Callback:
+        """Register the callback that verifies a nonce."""
+        self.verify_nonce_callback = f
+        return f
+    def generate_opaque(self, f: Callback) -> Callback:
+        """Register the callback that generates an opaque value.
+        Defining this (together with :meth:`verify_opaque`) lets the application
+        use a state store other than the session.
+        """
+        self.generate_opaque_callback = f
+        return f
+    def verify_opaque(self, f: Callback) -> Callback:
+        """Register the callback that verifies an opaque value."""
+        self.verify_opaque_callback = f
+        return f
+    async def get_nonce(self) -> str:
+        return await self.ensure_async(self.generate_nonce_callback)()
+    async def get_opaque(self) -> str:
+        return await self.ensure_async(self.generate_opaque_callback)()
+    def generate_ha1(self, username: str, password: str) -> str:
+        """Return the HA1 hash to store when ``use_ha1_pw`` is ``True``."""
+        a1 = f"{username}:{self.realm}:{password}".encode()
+        return md5(a1).hexdigest()
+    async def authenticate_header(self) -> str:
+        nonce = await self.get_nonce()
+        opaque = await self.get_opaque()
+        challenge = (
+            f'{self.scheme} realm="{self.realm}",nonce="{nonce}",' f'opaque="{opaque}"'
+        )
+        if self.qop:
+            qop_str = ",".join(self.qop)
+            challenge += f',algorithm="{self.algorithm}",qop="{qop_str}"'
+        return challenge
+    async def authenticate(
+        self, auth: Authorization | None, stored_password_or_ha1: Any
+    ) -> bool:
+        if (
+            not auth
+            or not auth.username
+            or not auth.realm
+            or not auth.uri
+            or not auth.nonce
+            or not auth.response
+            or not stored_password_or_ha1
+        ):
+            return False
+        nonce_ok = await self.ensure_async(self.verify_nonce_callback)(auth.nonce)
+        opaque_ok = await self.ensure_async(self.verify_opaque_callback)(auth.opaque)
+        if not nonce_ok or not opaque_ok:
+            return False
+        if auth.qop and auth.qop not in self.qop:  # pragma: no cover
+            return False
+        if self.use_ha1_pw:
+            ha1 = stored_password_or_ha1
+        else:
+            a1 = f"{auth.username}:{auth.realm}:{stored_password_or_ha1}"
+            ha1 = md5(a1.encode("utf-8")).hexdigest()
+        if self.algorithm == "MD5-Sess":
+            ha1 = md5(f"{ha1}:{auth.nonce}:{auth.cnonce}".encode()).hexdigest()
+        a2 = f"{request.method}:{auth.uri}"
+        ha2 = md5(a2.encode("utf-8")).hexdigest()
+        if auth.qop == "auth":
+            a3 = f"{ha1}:{auth.nonce}:{auth.nc}:{auth.cnonce}:auth:{ha2}"
+        else:
+            a3 = f"{ha1}:{auth.nonce}:{ha2}"
+        response = md5(a3.encode("utf-8")).hexdigest()
+        return hmac.compare_digest(response, auth.response)
+class HTTPTokenAuth(HTTPAuth):
+    """Bearer or custom-header token authentication.
+    *scheme* names the scheme used in the ``Authorization`` header and the
+    challenge (``Bearer`` by default)::
+        Authorization: Bearer this-is-my-token
+    *realm* sets the advertised realm. *header* selects a custom header to read
+    the token from instead of ``Authorization``; there the whole header value is
+    the token and no scheme prefix is expected::
+        X-API-Key: this-is-my-token
+    """
+    def __init__(
+        self,
+        scheme: str = "Bearer",
+        realm: str | None = None,
+        header: str | None = None,
+    ) -> None:
+        super().__init__(scheme, realm, header)
+        self.verify_token_callback: Callback | None = None
+    def verify_token(self, f: Callback) -> Callback:
+        """Register the callback that verifies a token.
+        The callback receives the token and returns the user object on success,
+        ``True`` when there is no user object, or ``None``/``False`` on failure.
+        A verify callback is required when using this class. Example::
+            @auth.verify_token
+            async def verify_token(token):
+                return await User.get_by_token(token)
+        """
+        self.verify_token_callback = f
+        return f
+    async def authenticate(
+        self, auth: Authorization | None, stored_password: Any
+    ) -> Any:
+        token = getattr(auth, "token", None)
+        if token and self.verify_token_callback is not None:
+            return await self.ensure_async(self.verify_token_callback)(token)
+        return None
+class MultiAuth:
+    """Try several authentication schemes in order on a single route.
+    Construct it with one or more of :class:`HTTPBasicAuth`,
+    :class:`HTTPDigestAuth` or :class:`HTTPTokenAuth`. A protected route uses the
+    first scheme whose header is compatible with the request, falling back to the
+    main scheme's challenge when none match.
+    """
+    def __init__(self, main_auth: HTTPAuth, *additional_auths: HTTPAuth) -> None:
+        self.main_auth = main_auth
+        self.additional_auths = additional_auths
+    def login_required(
+        self,
+        f: Callback | None = None,
+        role: Any = None,
+        optional: bool | None = None,
+    ) -> Any:
+        """Protect a view, delegating to the first compatible scheme."""
+        if f is not None and (role is not None or optional is not None):
+            raise ValueError(  # pragma: no cover
+                "role and optional are the only supported arguments"
+            )
+        def login_required_internal(f: Callback) -> Callback:
+            @wraps(f)
+            async def decorated(*args: Any, **kwargs: Any) -> Any:
+                selected_auth = self.main_auth
+                if not self.main_auth.is_compatible_auth(request.headers):
+                    for auth in self.additional_auths:
+                        if auth.is_compatible_auth(request.headers):
+                            selected_auth = auth
+                            break
+                guarded = selected_auth.login_required(role=role, optional=optional)(f)
+                return await guarded(*args, **kwargs)
+            return decorated
+        if f:
+            return login_required_internal(f)
+        return login_required_internal
+    def current_user(self) -> Any:
+        """Return the authenticated user, or ``None``."""
+        return getattr(g, "quart_httpauth_user", None)
+#: Friendlier alias. Upstream Flask-HTTPAuth exposes the class as ``MultiAuth``,
+#: so both names are provided to maximise compatibility.
+HTTPMultiAuth = MultiAuth

quart_httpauth/py.typed ADDED Viewed

File without changes

quart_httpauth-0.0.1.dist-info/METADATA ADDED Viewed

@@ -0,0 +1,167 @@
+Metadata-Version: 2.4
+Name: quart-httpauth
+Version: 0.0.1
+Summary: Basic, Digest and Token HTTP authentication for Quart routes
+Project-URL: Homepage, https://github.com/lymagics/quart_httpauth
+Project-URL: Bug Tracker, https://github.com/lymagics/quart_httpauth/issues
+Author: quart_httpauth contributors
+License: MIT
+License-File: LICENSE
+Keywords: async,authentication,basic,bearer,digest,http,quart,token
+Classifier: Environment :: Web Environment
+Classifier: Framework :: AsyncIO
+Classifier: Intended Audience :: Developers
+Classifier: License :: OSI Approved :: MIT License
+Classifier: Operating System :: OS Independent
+Classifier: Programming Language :: Python :: 3
+Classifier: Programming Language :: Python :: 3.9
+Classifier: Programming Language :: Python :: 3.10
+Classifier: Programming Language :: Python :: 3.11
+Classifier: Programming Language :: Python :: 3.12
+Classifier: Topic :: Internet :: WWW/HTTP :: Dynamic Content
+Classifier: Topic :: Security
+Requires-Python: >=3.9
+Requires-Dist: quart>=0.19
+Provides-Extra: dev
+Requires-Dist: black; extra == 'dev'
+Requires-Dist: coverage; extra == 'dev'
+Requires-Dist: hypercorn; extra == 'dev'
+Requires-Dist: hypothesis; extra == 'dev'
+Requires-Dist: language-tool-python; extra == 'dev'
+Requires-Dist: mypy; extra == 'dev'
+Requires-Dist: pyhamcrest; extra == 'dev'
+Requires-Dist: pytest; extra == 'dev'
+Requires-Dist: pytest-asyncio; extra == 'dev'
+Requires-Dist: pytest-cov; extra == 'dev'
+Requires-Dist: pytest-fail-slow; extra == 'dev'
+Requires-Dist: pytest-randomly; extra == 'dev'
+Requires-Dist: pytest-repeat; extra == 'dev'
+Requires-Dist: ruff; extra == 'dev'
+Provides-Extra: docs
+Requires-Dist: furo; extra == 'docs'
+Requires-Dist: sphinx; extra == 'docs'
+Description-Content-Type: text/markdown
+# quart-httpauth
+Basic, Digest and Token (Bearer) HTTP authentication for [Quart](https://github.com/pallets/quart)
+routes — an **async-native port of [Flask-HTTPAuth](https://github.com/miguelgrinberg/flask-httpauth)**.
+The public API mirrors Flask-HTTPAuth: class names, constructor arguments,
+decorator names, and callback contracts are preserved. Existing Flask-HTTPAuth
+code transfers by switching `flask` imports to `quart` and `flask_httpauth` to
+`quart_httpauth`. The one intentional change is that the request pipeline and
+every callback are awaited — your verify/role/error callbacks may be written as
+either `def` **or** `async def`.
+## Installation
+```
+pip install quart-httpauth
+```
+The distribution name is `quart-httpauth`; the import name is `quart_httpauth`.
+## Quickstart — Basic auth
+```python
+from quart import Quart
+from quart_httpauth import HTTPBasicAuth
+from werkzeug.security import check_password_hash, generate_password_hash
+app = Quart(__name__)
+auth = HTTPBasicAuth()
+users = {
+    "susan": generate_password_hash("hunter2"),
+}
+@auth.verify_password
+async def verify_password(username, password):
+    if username in users and check_password_hash(users[username], password):
+        return username
+@app.route("/")
+@auth.login_required
+async def index():
+    return f"Hello, {auth.current_user()}!"
+```
+## Token (Bearer) auth
+```python
+from quart import Quart
+from quart_httpauth import HTTPTokenAuth
+app = Quart(__name__)
+auth = HTTPTokenAuth(scheme="Bearer")
+tokens = {"secret-token-1": "john"}
+@auth.verify_token
+async def verify_token(token):
+    return tokens.get(token)
+@app.route("/")
+@auth.login_required
+async def index():
+    return f"Hello, {auth.current_user()}!"
+```
+A custom header works too: `HTTPTokenAuth(header="X-API-Key")` — there the entire
+header value is treated as the token with no scheme prefix.
+## Roles and optional auth
+```python
+@auth.get_user_roles
+async def get_user_roles(user):
+    return user.roles
+@app.route("/admin")
+@auth.login_required(role="admin")
+async def admin():
+    return "for admins only"
+@app.route("/maybe")
+@auth.login_required(optional=True)
+async def maybe():
+    user = auth.current_user()
+    return f"Hello, {user or 'anonymous'}!"
+```
+## Multiple schemes on one route
+```python
+from quart_httpauth import HTTPBasicAuth, HTTPTokenAuth, MultiAuth
+basic = HTTPBasicAuth()
+token = HTTPTokenAuth()
+multi = MultiAuth(basic, token)   # HTTPMultiAuth is an alias
+@app.route("/")
+@multi.login_required
+async def index():
+    return f"Hello, {multi.current_user()}!"
+```
+See [`examples/`](examples/) for runnable apps.
+## Differences from Flask-HTTPAuth
+- The deprecated `hash_password` callback, the `username()` accessor, and the
+  legacy `get_password`-as-Basic-credential path are **not** ported. Use
+  `verify_password` for Basic auth. `get_password` is retained for
+  `HTTPDigestAuth`, where it is the primary, non-deprecated mechanism.
+- The per-request user is stored on `g.quart_httpauth_user`.
+## License
+MIT. Ported from Flask-HTTPAuth (also MIT) by Miguel Grinberg.

quart_httpauth-0.0.1.dist-info/RECORD ADDED Viewed

@@ -0,0 +1,6 @@
+quart_httpauth/__init__.py,sha256=4Y8c3_Pb9n0-I99jveeTmt3VwlfDWnX-vavwo_ev9iM,24863
+quart_httpauth/py.typed,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
+quart_httpauth-0.0.1.dist-info/METADATA,sha256=3cguDgakju7bZDZ2ZIDI6U13_5ilmojEoTzE9dEODnQ,4869
+quart_httpauth-0.0.1.dist-info/WHEEL,sha256=mffPy8wBnZQn2VnJUU5jE99KsxaSfiyMHV9Yt0aLVxs,87
+quart_httpauth-0.0.1.dist-info/licenses/LICENSE,sha256=EefOWiPKOOz3R1pJ5rnvxq0ATiIRSXNxwSlDzwNCw-M,1077
+quart_httpauth-0.0.1.dist-info/RECORD,,

quart_httpauth-0.0.1.dist-info/WHEEL ADDED Viewed

@@ -0,0 +1,4 @@
+Wheel-Version: 1.0
+Generator: hatchling 1.30.1
+Root-Is-Purelib: true
+Tag: py3-none-any

quart_httpauth-0.0.1.dist-info/licenses/LICENSE ADDED Viewed

@@ -0,0 +1,21 @@
+MIT License
+Copyright (c) 2026 Viacheslav Lymanskyi
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.