Since authorizations and authentications are a very important part of almost every application, Emmett includes an useful module to deal with them. With a few lines of code, you will be able to create any required database tables and generate forms for access control in your application.
So, how do you use it? Let's find out with an example:
from emmett import App
from emmett.orm import Database
from emmett.tools.auth import Auth, AuthUser
from emmett.sessions import SessionManager
app = App(__name__)
app.config.db.uri = "sqlite://storage.sqlite"
app.config.auth.hmac_key = "mysupersecretkey"
app.config.auth.single_template = True
class User(AuthUser):
pass
db = Database(app)
auth = Auth(app, db, user_model=User)
app.pipeline = [
SessionManager.cookies('myverysecretkey'),
db.pipe,
auth.pipe
]
auth_routes = auth.module(__name__)
That's it.
Write a template page for the auth module (that should be placed in templates/auth/auth.html) to render the form variable returned by the module, and open http://127.0.0.1:8000/auth/login in your browser. Emmett should show you a login page with the appropriate form.
Note: Emmett's
Authmodule requires session handling and aDatabaseinstance activated on your application in order to work properly.
As you've figured out, the auth_routes module will be responsible for
your app's authorization flow. With the default settings, the Auth module
of Emmett exposes the following:
and it creates all the necessary database tables, from users to groups and memberships.
You can obviously change the routing URL prefix (default set to auth) as any other application module:
auth_routes = auth.module(__name__, url_prefix='account')
Changed in version 1.0
The auth module have quite a few options that can be configured. We already saw the hmac_key parameter, which is used to crypt passwords in the database, or the single_template option we used in the bloggy example and above.
Here is the complete list of parameters that you can change:
| parameter | default value | description |
|---|---|---|
| hmac_key | None |
the key (required) that will be used to crypt users' passwords |
| hmac_alg | pbkdf2(2000,20,sha512) | the algorithm that will be used to crypt users' password |
| inject_pipe | False |
configure the module to automatically inject its pipe on the application |
| log_events | True |
store in the module events table events regarding auth |
| flash_messages | True |
use the Emmett flashing system to display messages |
| csrf | True |
use CSRF protection logic on forms |
| single_template | False |
decide if every route exposed by the module should use a single template |
| password_min_length | 6 | minimum length for users password |
| remember_option | True |
add a remember me checkbox in login form to have long-living sessions |
| session_expiration | 3600 | inactivity time (seconds) after which the session will expire |
| session_long_expiration | 3600 * 24 * 30 | inactivity time (seconds) after which a long living session will expire |
| registration_verification | True |
decide if the user's email should be validated on registration |
| registration_approval | False |
decide if registered users should be approved manually |
As an example, if you leave the single_template option set to True, you have to write one template for every routed function of the module that we saw above.
Warning: if you change the
hmac_keyand/orhmac_algafterwards, the users registered to your application won't be able to login unless they reset their passwords.
Note: the
registration_verificationoption requires a mailer is configured on the application in order to work properly.
The auth module is also pre-configured with quite a few standard messages that will be used by the system for a wide case of scenarios, from labels to error messages. You can inspect all the messages you can customize printing the dictionary in the standard configuration of the module under the messages key:
>>> auth.ext.config.messages
and you can obviously configure them with the application configuration:
from emmett import T
app.config.auth.messages.profile_button = T("Update profile")
You may want to disable some actions exposed by the authorization module.
Let's say you don't want the password_retrieval functionality. To do that, just edit your application configuration:
app.config.auth.disabled_routes = ["password_retrieval"]
New in version 1.1
You may want to change the default url paths for the auth module routes. You just have to change the value of the routes_paths dictionary in the configuration:
app.config.auth.routes_paths = {
'login': '/signin',
'logout': '/signout',
'registration': '/signup'}
The auth module has an after callback for every route exposed by the module. This is useful, for example, if you want to change the default redirects after a certain action has occurred. In fact, under the default behaviour, the user will be redirected to its own profile after the login, while you may want to redirect him/her to a dashboard route you defined:
from emmett import url, redirect
@auth_routes.after_login
def after_login(form):
redirect(url('dashboard'))
Here is the complete list of available callbacks, with the parameters passed to them:
| callback | parameters |
|---|---|
| after_login | form |
| after_logout | |
| after_registration | form, user, logged_in |
| after_profile | form |
| after_email_verification | user |
| after_password_retrieval | user |
| after_password_reset | user |
| after_password_change |
where form is the form the user has filled in. The user parameter is present on the routes that don't have a user logged into the system, while the logged_in parameter tells you if the user was logged into the system after the registration.
You can also define custom actions to be routed by the auth module. Let's say you want to route a method for the facebook authentication on the /account/facebook path:
@auth_routes.route("/facebook")
def facebook_auth():
# some code
The auth module is pre-configured to send two different mails:
You can customize these mails using the appropriate decorators:
@auth.registration_mail@auth.reset_password_mailFor example, you may want to customize the registration email like this:
@auth.registration_mail
def registration_mail(user, data):
subject = "Welcome to Massive Dynamic!"
body = (
"Hi, welcome to Massive Dynamic. "
"Please let Nina know you're from this universe and "
"click on the link %(link)s to verify your email.")
mailer.send_mail(
recipients=user.email, subject=subject, body=body % data)
The functions you decorate with both decorators should accept the user and data parameters. The data parameter is a dictionary and will contains just the link item.
Note: in order to use mail features you need a mailer configured with your application.
Changed in 1.0
One of the strengths of the authorization module is that it is simple to introduce access controls to your application. Let's say that you need to allow access to a specific zone to only users who are logged in. With Emmett, you can do that with one line of code:
from emmett.tools import requires
@app.route()
@requires(auth.is_logged, url('unauthorized_page'))
async def my_protected_page():
#some code
As you probably figured out, the requires helper will determine if the condition
in the first parameter passed as and if that is not so, Emmett will redirect
the client to the URL in the second parameter.
You can also pass a function to be invoked as with the second parameter, for example:
def not_auth():
abort(403)
@app.route()
@requires(lambda: auth.has_membership('admins'), not_auth)
async def admin():
# code
returns an HTTP 403 error.
Note: when you need to evaluate the condition during the request, you should use a
lambdafunction if the first argument passed torequiresis not a callable.
Sometimes you may need to return specific contents on missing authorization. In that case, you can write:
from emmett.tools import service
def not_authorized():
return dict(error="Not authorized")
@app.route()
@requires(auth.is_logged, not_authorized)
@service.json
async def protected():
return dict(data="Some data here")
so the client will also receive a JSON object on an authorization error.
– OK, dude. What if I want to protect an entire application module with access control?
You can use the RequirePipe instead of decorating any function
of your module:
from emmett.pipeline import RequirePipe
mymodule = app.module(__name__, "mymodule")
mymodule.pipeline = [RequirePipe(some_condition, otherwise)]
If you go this route, just remember to not add access control to your exposed function, otherwise your user won't be able to login.
Changed in version 1.0
The Auth module defines five models (and the five related database tables)
under default behavior:
AuthUserAuthGroupAuthMembershipAuthPermissionAuthEventNow, you can customize the models by creating subclasses, and the thing you'll want to model most often is probably going to be a user. As we saw from the previous example, your base class will be AuthUser and from there you can add your fields, like an avatar.
You could define your User model like so:
from emmett.orm import Field
from emmett.tools.auth import AuthUser
class User(AuthUser):
avatar = Field.upload(uploadfolder="uploads")
form_profile_rw = {
"avatar": True
}
and pass it to the Auth instance:
from emmett.tools import Auth
auth = Auth(app, db, user_model=User)
As you can see, defining your user model by subclassing AuthUser is essentially the same as subclassing Model, but there are some differences.
Firstly, the fields you define will be the additional fields you will want to add to the user table. Secondly, you'll use form_profile_rw and form_registration_rw, instead of the fields_rw attribute, to treat the field differently for accesses during user registration and during user edits after registration. The default visibility is set to False for any extra fields you define, so the above example allows the client to upload an avatar for their account only with the profile function, not during the registration.
The default fields included in the AuthUser model are:
plus some other columns need by the system and hidden to the users.
If you don't want to have the first_name and last_name fields inside your
user model (they are set to be not-null), you can subclass the AuthUserBasic
model instead, available under emmett.tools.auth.models, which doesn't include them.
Before seeing how to customize the remaining auth models, let's see which relations are available as default.
The default Auth configuration gives you the ability to use these has_many
relations on the AuthUser model (and any model subclassing it):
user = db.AuthUser(id=1)
# referring membership records
user.auth_memberships()
# referring group records
user.auth_groups()
# referring permission records
user.auth_permissions()
# referring event records
user.auth_events()
The AuthGroup model has these has_many relations:
group = db.AuthGroup(id=1)
# referring user records
group.users()
# referring permission records
group.auth_permissions()
Consequentially, AuthMembership, AuthPermission and AuthEvent have the
inverse belongs_to relations:
membership = db.AuthMembership(id=1)
# referred user record
membership.user
# referred group record
membership.auth_group
permission = db.AuthPermission(id=1)
# referred group record
permission.auth_group
event = db.AuthEvent(id=1)
# referred user record
event.user
section in development
Thanks to the models and relations defined by the Auth module, you can manage
the users in your application easily. Let's say you want to add a group of
administrators:
admins = auth.create_group('administrators')
then you can add users to the administrators' group easily:
admin = db.User(id=42)
# 1st way:
auth.add_membership(admins, admin)
# 2nd way:
auth.add_membership('administrators', admin)
# 3rd way:
admins.users.add(admin)
# 4th way:
admin.auth_groups.add(admins)
Once you have added groups and memberships, you can use the has_membership helper
of the Auth model that we saw previously, in the requires paragraph:
# on the logged user:
auth.has_membership('administrators')
# specifying a user:
auth.has_membership('administrators', user)
and you can obviously get all the groups a user is a member of by using relation:
user.auth_groups()
Nonetheless, Emmett's Auth module also have a finer management for users,
considering permissions:
auth.add_permission(admins, 'ban_users')
As you saw in the example, this allows you to bind specific permissions to groups, and then checks for them both on groups and users:
# on the logged user:
auth.has_permission('ban_users')
# on specific user:
auth.has_permission('ban_users', user=admin)
# on specific group:
auth.has_permission('ban_users', group=admins)
Emmett's Auth permissions also support more details, like a model name and a record:
maintenance = db.Preference(name='maintenance').first()
auth.add_permission(admins, 'write', 'Preference', maintenance.id)
# then you will check
auth.has_permission('write', 'Preference', maintenance.id)
New in version 0.6
Sometimes you need to lock user operations on your application. The auth module has 2 different locking statuses for this:
You can change an user status in two different ways. The first is directly with
your Auth instance:
auth.disable_user(user)
auth.block_user(user)
auth.allow_user(user)
where the only accepted parameters are an user row (including the id) or just the id of the user involved.
You can also change the user status directly on a user you've selected from the database:
user = User.first()
user.disable()
user.block()
user.allow()
The allow methods will simply reset any blocking status on the users.
section in development