streamlit-nightly 1.41.2.dev20241227__py2.py3-none-any.whl → 1.41.2.dev20250124__py2.py3-none-any.whl

streamlit/watcher/local_sources_watcher.py

@@ -1,4 +1,4 @@
-# Copyright (c) Streamlit Inc. (2018-2022) Snowflake Inc. (2022-2024)
+# Copyright (c) Streamlit Inc. (2018-2022) Snowflake Inc. (2022-2025)
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -218,8 +218,10 @@ def get_module_paths(module: ModuleType) -> set[str]:
         except AttributeError:
             # Some modules might not have __file__ or __spec__ attributes.
             pass
-        except Exception as e:
-            _LOGGER.warning(f"Examining the path of {module.__name__} raised: {e}")
+        except Exception:
+            _LOGGER.warning(
+                f"Examining the path of {module.__name__} raised:", exc_info=True
+            )
 
         all_paths.update(
             [os.path.abspath(str(p)) for p in potential_paths if _is_valid_path(p)]

streamlit/watcher/path_watcher.py

@@ -1,4 +1,4 @@
-# Copyright (c) Streamlit Inc. (2018-2022) Snowflake Inc. (2022-2024)
+# Copyright (c) Streamlit Inc. (2018-2022) Snowflake Inc. (2022-2025)
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.

streamlit/watcher/polling_path_watcher.py

@@ -1,4 +1,4 @@
-# Copyright (c) Streamlit Inc. (2018-2022) Snowflake Inc. (2022-2024)
+# Copyright (c) Streamlit Inc. (2018-2022) Snowflake Inc. (2022-2025)
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.

streamlit/watcher/util.py

@@ -1,4 +1,4 @@
-# Copyright (c) Streamlit Inc. (2018-2022) Snowflake Inc. (2022-2024)
+# Copyright (c) Streamlit Inc. (2018-2022) Snowflake Inc. (2022-2025)
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -24,7 +24,9 @@ import hashlib
 import os
 import time
 from pathlib import Path
+from typing import Callable, TypeVar
 
+from streamlit.errors import Error
 from streamlit.util import HASHLIB_KWARGS
 
 # How many times to try to grab the MD5 hash.
@@ -56,7 +58,14 @@ def calc_md5_with_blocking_retries(
         glob_pattern = glob_pattern or "*"
         content = _stable_dir_identifier(path, glob_pattern).encode("UTF-8")
     else:
-        content = _get_file_content_with_blocking_retries(path)
+        # There's a race condition where sometimes file_path no longer exists when
+        # we try to read it (since the file is in the process of being written).
+        # So here we retry a few times using this loop. See issue #186.
+        content = _do_with_retries(
+            lambda: _get_file_content(path),
+            FileNotFoundError,
+            path,
+        )
 
     md5 = hashlib.md5(**HASHLIB_KWARGS)
     md5.update(content)
@@ -81,24 +90,19 @@ def path_modification_time(path: str, allow_nonexistent: bool = False) -> float:
     """
     if allow_nonexistent and not os.path.exists(path):
         return 0.0
-    return os.stat(path).st_mtime
 
+    # Use retries to avoid race condition where file may be in the process of being
+    # modified.
+    return _do_with_retries(
+        lambda: os.stat(path).st_mtime,
+        FileNotFoundError,
+        path,
+    )
 
-def _get_file_content_with_blocking_retries(file_path: str) -> bytes:
-    content = b""
-    # There's a race condition where sometimes file_path no longer exists when
-    # we try to read it (since the file is in the process of being written).
-    # So here we retry a few times using this loop. See issue #186.
-    for i in range(_MAX_RETRIES):
-        try:
-            with open(file_path, "rb") as f:
-                content = f.read()
-                break
-        except FileNotFoundError as e:
-            if i >= _MAX_RETRIES - 1:
-                raise e
-            time.sleep(_RETRY_WAIT_SECS)
-    return content
+
+def _get_file_content(file_path: str) -> bytes:
+    with open(file_path, "rb") as f:
+        return f.read()
 
 
 def _dirfiles(dir_path: str, glob_pattern: str) -> str:
@@ -134,9 +138,7 @@ def _stable_dir_identifier(dir_path: str, glob_pattern: str) -> str:
     """
     dirfiles = _dirfiles(dir_path, glob_pattern)
 
-    for _ in range(_MAX_RETRIES):
-        time.sleep(_RETRY_WAIT_SECS)
-
+    for _ in _retry_dance():
         new_dirfiles = _dirfiles(dir_path, glob_pattern)
         if dirfiles == new_dirfiles:
             break
@@ -144,3 +146,67 @@ def _stable_dir_identifier(dir_path: str, glob_pattern: str) -> str:
         dirfiles = new_dirfiles
 
     return f"{dir_path}+{dirfiles}"
+
+
+T = TypeVar("T")
+
+
+def _do_with_retries(
+    orig_fn: Callable[[], T],
+    exception: type[Exception],
+    path: str | Path,
+) -> T:
+    """Helper for retrying a function.
+
+    Calls `orig_fn`. If `exception` is raised, retry.
+
+    To use this, just replace things like this...
+
+        result = thing_to_do(file_path, a, b, c)
+
+    ...with this:
+
+        result = _do_with_retries(
+            lambda: thing_to_do(file_path, a, b, c),
+            exception: ExceptionThatWillCauseARetry,
+            file_path, # For pretty error message.
+        )
+    """
+    for i in _retry_dance():
+        try:
+            return orig_fn()
+        except exception:
+            if i >= _MAX_RETRIES - 1:
+                raise
+            else:
+                # Continue with loop to either retry or raise MaxRetriesError.
+                pass
+
+    raise MaxRetriesError(f"Unable to access file or folder: {path}")
+
+
+def _retry_dance():
+    """Helper for writing a retry loop.
+
+    This is useful to make sure all our retry loops work the same way. For example,
+    prior to this helper, some loops had time.sleep() *before the first try*, which just
+    slowed things down for no reason.
+
+    Usage:
+
+    for i in _retry_dance():
+        # Do the thing you want to retry automatically.
+        the_thing_worked = do_thing()
+
+        # Don't forget to include a break/return when the thing you're trying to do
+        # works.
+        if the_thing_worked:
+            break
+    """
+    for i in range(_MAX_RETRIES):
+        yield i
+        time.sleep(_RETRY_WAIT_SECS)
+
+
+class MaxRetriesError(Error):
+    pass

streamlit/web/__init__.py

@@ -1,4 +1,4 @@
-# Copyright (c) Streamlit Inc. (2018-2022) Snowflake Inc. (2022-2024)
+# Copyright (c) Streamlit Inc. (2018-2022) Snowflake Inc. (2022-2025)
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.

streamlit/web/bootstrap.py

@@ -1,4 +1,4 @@
-# Copyright (c) Streamlit Inc. (2018-2022) Snowflake Inc. (2022-2024)
+# Copyright (c) Streamlit Inc. (2018-2022) Snowflake Inc. (2022-2025)
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -298,6 +298,8 @@ def run(
     is_hello: bool,
     args: list[str],
     flag_options: dict[str, Any],
+    *,
+    stop_immediately_for_testing: bool = False,
 ) -> None:
     """Run a script in a separate thread and start a server for the app.
 
@@ -321,9 +323,27 @@ def run(
         # and close all our threads
         _set_up_signal_handler(server)
 
+        # return immediately if we're testing the server start
+        if stop_immediately_for_testing:
+            _LOGGER.debug("Stopping server immediately for testing")
+            server.stop()
+
         # Wait until `Server.stop` is called, either by our signal handler, or
         # by a debug websocket session.
         await server.stopped
 
     # Run the server. This function will not return until the server is shut down.
-    asyncio.run(run_server())
+    # FIX RuntimeError: asyncio.run() cannot be called from a running event loop on Python 3.10.16
+    # asyncio.run(run_server())
+
+    # Define a main function to handle the event loop logic
+    async def main():
+        await run_server()
+
+    # Check if we're already in an event loop
+    if asyncio.get_event_loop().is_running():
+        # Use `asyncio.create_task` if we're in an async context
+        asyncio.create_task(main())
+    else:
+        # Otherwise, use `asyncio.run`
+        asyncio.run(main())

streamlit/web/cache_storage_manager_config.py

@@ -1,4 +1,4 @@
-# Copyright (c) Streamlit Inc. (2018-2022) Snowflake Inc. (2022-2024)
+# Copyright (c) Streamlit Inc. (2018-2022) Snowflake Inc. (2022-2025)
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.

streamlit/web/cli.py

@@ -1,4 +1,4 @@
-# Copyright (c) Streamlit Inc. (2018-2022) Snowflake Inc. (2022-2024)
+# Copyright (c) Streamlit Inc. (2018-2022) Snowflake Inc. (2022-2025)
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.

streamlit/web/server/__init__.py

@@ -1,4 +1,4 @@
-# Copyright (c) Streamlit Inc. (2018-2022) Snowflake Inc. (2022-2024)
+# Copyright (c) Streamlit Inc. (2018-2022) Snowflake Inc. (2022-2025)
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.

streamlit/web/server/app_static_file_handler.py

@@ -1,4 +1,4 @@
-# Copyright (c) Streamlit Inc. (2018-2022) Snowflake Inc. (2022-2024)
+# Copyright (c) Streamlit Inc. (2018-2022) Snowflake Inc. (2022-2025)
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.

streamlit/web/server/authlib_tornado_integration.py

@@ -0,0 +1,58 @@
+# Copyright (c) Streamlit Inc. (2018-2022) Snowflake Inc. (2022-2025)
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+from __future__ import annotations
+
+from typing import TYPE_CHECKING, Any, Sequence
+
+from authlib.integrations.base_client import (  # type: ignore[import-untyped]
+    FrameworkIntegration,
+)
+
+from streamlit.runtime.secrets import AttrDict
+
+if TYPE_CHECKING:
+    from streamlit.web.server.oidc_mixin import TornadoOAuth
+
+
+class TornadoIntegration(FrameworkIntegration):  # type: ignore[misc]
+    def update_token(self, token, refresh_token=None, access_token=None):
+        """We do not support access token refresh, since we obtain and operate only on
+        identity tokens. We override this method explicitly to implement all abstract
+        methods of base class.
+        """
+
+    @staticmethod
+    def load_config(
+        oauth: TornadoOAuth, name: str, params: Sequence[str]
+    ) -> dict[str, Any]:
+        """Configure Authlib integration with provider parameters
+        specified in secrets.toml
+        """
+
+        # oauth.config here is an auth section from secrets.toml
+        # We parse it here to transform nested AttrDict (for client_kwargs value)
+        # to dict so Authlib can work with it under the hood.
+        if not oauth.config:
+            return {}
+
+        prepared_config = {}
+        for key in params:
+            value = oauth.config.get(name, {}).get(key, None)
+            if isinstance(value, AttrDict):
+                # We want to modify client_kwargs further after loading server metadata
+                value = value.to_dict()
+            if value is not None:
+                prepared_config[key] = value
+        return prepared_config

streamlit/web/server/browser_websocket_handler.py

@@ -1,4 +1,4 @@
-# Copyright (c) Streamlit Inc. (2018-2022) Snowflake Inc. (2022-2024)
+# Copyright (c) Streamlit Inc. (2018-2022) Snowflake Inc. (2022-2025)
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -16,14 +16,17 @@ from __future__ import annotations
 
 import base64
 import binascii
+import hmac
 import json
 from typing import TYPE_CHECKING, Any, Awaitable, Final
+from urllib.parse import urlparse
 
 import tornado.concurrent
 import tornado.locks
 import tornado.netutil
 import tornado.web
 import tornado.websocket
+from tornado.escape import utf8
 from tornado.websocket import WebSocketHandler
 
 from streamlit import config
@@ -31,7 +34,11 @@ from streamlit.logger import get_logger
 from streamlit.proto.BackMsg_pb2 import BackMsg
 from streamlit.runtime import Runtime, SessionClient, SessionClientDisconnectedError
 from streamlit.runtime.runtime_util import serialize_forward_msg
-from streamlit.web.server.server_util import is_url_from_allowed_origins
+from streamlit.web.server.server_util import (
+    AUTH_COOKIE_NAME,
+    is_url_from_allowed_origins,
+    is_xsrf_enabled,
+)
 
 if TYPE_CHECKING:
     from streamlit.proto.ForwardMsg_pb2 import ForwardMsg
@@ -50,13 +57,63 @@ class BrowserWebSocketHandler(WebSocketHandler, SessionClient):
         # need to read the self.xsrf_token manually to set the cookie as a side
         # effect. See https://www.tornadoweb.org/en/stable/guide/security.html#cross-site-request-forgery-protection
         # for more details.
-        if config.get_option("server.enableXsrfProtection"):
+        if is_xsrf_enabled():
             _ = self.xsrf_token
 
+    def get_signed_cookie(
+        self,
+        name: str,
+        value: str | None = None,
+        max_age_days: float = 31,
+        min_version: int | None = None,
+    ) -> bytes | None:
+        """Get a signed cookie from the request. Added for compatibility with
+        Tornado < 6.3.0.
+        See release notes: https://www.tornadoweb.org/en/stable/releases/v6.3.0.html#deprecation-notices
+        """
+        try:
+            return super().get_signed_cookie(name, value, max_age_days, min_version)
+        except AttributeError:
+            return super().get_secure_cookie(name, value, max_age_days, min_version)
+
     def check_origin(self, origin: str) -> bool:
         """Set up CORS."""
         return super().check_origin(origin) or is_url_from_allowed_origins(origin)
 
+    def _validate_xsrf_token(self, supplied_token: str) -> bool:
+        """Inspired by tornado.web.RequestHandler.check_xsrf_cookie method,
+        to check the XSRF token passed in Websocket connection header.
+        """
+        _, token, _ = self._decode_xsrf_token(supplied_token)
+        _, expected_token, _ = self._get_raw_xsrf_token()
+
+        decoded_token = utf8(token)
+        decoded_expected_token = utf8(expected_token)
+
+        if not decoded_token or not decoded_expected_token:
+            return False
+        return hmac.compare_digest(decoded_token, decoded_expected_token)
+
+    def _parse_user_cookie(self, raw_cookie_value: bytes, email: str) -> dict[str, Any]:
+        """Process the user cookie and extract the user info after
+        validating the origin. Origin is validated for security reasons.
+        """
+        cookie_value = json.loads(raw_cookie_value)
+        user_info = {}
+
+        cookie_value_origin = cookie_value.get("origin", None)
+        parsed_origin_from_header = urlparse(self.request.headers["Origin"])
+        expected_origin_value = (
+            parsed_origin_from_header.scheme + "://" + parsed_origin_from_header.netloc
+        )
+        if cookie_value_origin == expected_origin_value:
+            user_info["is_logged_in"] = cookie_value.get("is_logged_in", False)
+            del cookie_value["origin"]
+            del cookie_value["is_logged_in"]
+            user_info.update(cookie_value)
+
+        return user_info
+
     def write_forward_msg(self, msg: ForwardMsg) -> None:
         """Send a ForwardMsg to the browser."""
         try:
@@ -102,11 +159,13 @@ class BrowserWebSocketHandler(WebSocketHandler, SessionClient):
             is_public_cloud_app = user_obj["isPublicCloudApp"]
         except (KeyError, binascii.Error, json.decoder.JSONDecodeError):
             email = "test@example.com"
-
-        user_info: dict[str, str | None] = {
-            "email": None if is_public_cloud_app else email
+        user_info: dict[str, str | bool | None] = {
+            "email": None if is_public_cloud_app else email,
         }
 
+        if is_public_cloud_app or email == "test@example.com":
+            user_info.pop("email", None)
+
         existing_session_id = None
         try:
             ws_protocols = [
@@ -114,6 +173,13 @@ class BrowserWebSocketHandler(WebSocketHandler, SessionClient):
                 for p in self.request.headers["Sec-Websocket-Protocol"].split(",")
             ]
 
+            raw_cookie_value = self.get_signed_cookie(AUTH_COOKIE_NAME)
+            if is_xsrf_enabled() and raw_cookie_value:
+                csrf_protocol_value = ws_protocols[1]
+
+                if self._validate_xsrf_token(csrf_protocol_value):
+                    user_info.update(self._parse_user_cookie(raw_cookie_value, email))
+
             if len(ws_protocols) >= 3:
                 # See the NOTE in the docstring of the `select_subprotocol` method above
                 # for a detailed explanation of why this is done.
@@ -166,7 +232,7 @@ class BrowserWebSocketHandler(WebSocketHandler, SessionClient):
             _LOGGER.debug("Received the following back message:\n%s", msg)
 
         except Exception as ex:
-            _LOGGER.error(ex)
+            _LOGGER.exception("Error deserializing back message")
             self._runtime.handle_backmsg_deserialization_exception(self._session_id, ex)
             return
 

streamlit/web/server/component_request_handler.py

@@ -1,4 +1,4 @@
-# Copyright (c) Streamlit Inc. (2018-2022) Snowflake Inc. (2022-2024)
+# Copyright (c) Streamlit Inc. (2018-2022) Snowflake Inc. (2022-2025)
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.

streamlit/web/server/media_file_handler.py

@@ -1,4 +1,4 @@
-# Copyright (c) Streamlit Inc. (2018-2022) Snowflake Inc. (2022-2024)
+# Copyright (c) Streamlit Inc. (2018-2022) Snowflake Inc. (2022-2025)
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.

streamlit/web/server/oauth_authlib_routes.py

@@ -0,0 +1,176 @@
+# Copyright (c) Streamlit Inc. (2018-2022) Snowflake Inc. (2022-2025)
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+from __future__ import annotations
+
+import json
+from typing import Any
+from urllib.parse import urlparse
+
+import tornado.web
+
+from streamlit.auth_util import (
+    AuthCache,
+    decode_provider_token,
+    generate_default_provider_section,
+    get_secrets_auth_section,
+)
+from streamlit.errors import StreamlitAuthError
+from streamlit.url_util import make_url_path
+from streamlit.web.server.oidc_mixin import TornadoOAuth, TornadoOAuth2App
+from streamlit.web.server.server_util import AUTH_COOKIE_NAME
+
+auth_cache = AuthCache()
+
+
+def create_oauth_client(provider: str) -> tuple[TornadoOAuth2App, str]:
+    """Create an OAuth client for the given provider based on secrets.toml configuration."""
+    auth_section = get_secrets_auth_section()
+    if auth_section:
+        redirect_uri = auth_section.get("redirect_uri", None)
+        config = auth_section.to_dict()
+    else:
+        config = {}
+        redirect_uri = "/"
+
+    provider_section = config.setdefault(provider, {})
+
+    if not provider_section and provider == "default":
+        provider_section = generate_default_provider_section(auth_section)
+        config["default"] = provider_section
+
+    provider_client_kwargs = provider_section.setdefault("client_kwargs", {})
+    if "scope" not in provider_client_kwargs:
+        provider_client_kwargs["scope"] = "openid email profile"
+    if "prompt" not in provider_client_kwargs:
+        provider_client_kwargs["prompt"] = "select_account"
+
+    oauth = TornadoOAuth(config, cache=auth_cache)
+    oauth.register(provider)
+    return oauth.create_client(provider), redirect_uri
+
+
+class AuthHandlerMixin(tornado.web.RequestHandler):
+    """Mixin for handling auth cookies. Added for compatibility with Tornado < 6.3.0."""
+
+    def initialize(self, base_url: str) -> None:
+        self.base_url = base_url
+
+    def redirect_to_base(self) -> None:
+        self.redirect(make_url_path(self.base_url, "/"))
+
+    def set_auth_cookie(self, user_info: dict[str, Any]) -> None:
+        serialized_cookie_value = json.dumps(user_info)
+        try:
+            # We don't specify Tornado secure flag here because it leads to missing cookie on Safari.
+            # The OIDC flow should work only on secure context anyway (localhost or HTTPS),
+            # so specifying the secure flag here will not add anything in terms of security.
+            self.set_signed_cookie(
+                AUTH_COOKIE_NAME,
+                serialized_cookie_value,
+                httpOnly=True,
+            )
+        except AttributeError:
+            self.set_secure_cookie(
+                AUTH_COOKIE_NAME,
+                serialized_cookie_value,
+                httponly=True,
+            )
+
+    def clear_auth_cookie(self) -> None:
+        self.clear_cookie(AUTH_COOKIE_NAME)
+
+
+class AuthLoginHandler(AuthHandlerMixin, tornado.web.RequestHandler):
+    async def get(self):
+        """Redirect to the OAuth provider login page."""
+        provider = self._parse_provider_token()
+        if provider is None:
+            self.redirect_to_base()
+            return
+
+        client, redirect_uri = create_oauth_client(provider)
+        try:
+            client.authorize_redirect(self, redirect_uri)
+        except Exception as e:
+            self.send_error(400, reason=str(e))
+
+    def _parse_provider_token(self) -> str | None:
+        provider_token = self.get_argument("provider", None)
+        try:
+            if provider_token is None:
+                raise StreamlitAuthError("Missing provider token")
+            payload = decode_provider_token(provider_token)
+        except StreamlitAuthError:
+            return None
+
+        return payload["provider"]
+
+
+class AuthLogoutHandler(AuthHandlerMixin, tornado.web.RequestHandler):
+    def get(self):
+        self.clear_auth_cookie()
+        self.redirect_to_base()
+
+
+class AuthCallbackHandler(AuthHandlerMixin, tornado.web.RequestHandler):
+    async def get(self):
+        provider = self._get_provider_by_state()
+        origin = self._get_origin_from_secrets()
+        if origin is None:
+            self.redirect_to_base()
+            return
+
+        error = self.get_argument("error", None)
+        if error:
+            self.redirect_to_base()
+            return
+
+        if provider is None:
+            self.redirect_to_base()
+            return
+
+        client, _ = create_oauth_client(provider)
+        token = client.authorize_access_token(self)
+        user = token.get("userinfo")
+
+        cookie_value = dict(user, origin=origin, is_logged_in=True)
+        if user:
+            self.set_auth_cookie(cookie_value)
+        self.redirect_to_base()
+
+    def _get_provider_by_state(self) -> str | None:
+        state_code_from_url = self.get_argument("state")
+        current_cache_keys = list(auth_cache.get_dict().keys())
+        state_provider_mapping = {}
+        for key in current_cache_keys:
+            _, _, recorded_provider, code = key.split("_")
+            state_provider_mapping[code] = recorded_provider
+
+        provider: str | None = state_provider_mapping.get(state_code_from_url, None)
+        return provider
+
+    def _get_origin_from_secrets(self) -> str | None:
+        redirect_uri = None
+        auth_section = get_secrets_auth_section()
+        if auth_section:
+            redirect_uri = auth_section.get("redirect_uri", None)
+
+        if not redirect_uri:
+            return None
+
+        redirect_uri_parsed = urlparse(redirect_uri)
+        origin_from_redirect_uri: str = (
+            redirect_uri_parsed.scheme + "://" + redirect_uri_parsed.netloc
+        )
+        return origin_from_redirect_uri