Add opt-in password auth gate#85
Open
dkedar7 wants to merge 2 commits into
Open
Conversation
Fast Dash apps default to no auth — anyone with the URL can use them.
That's fine for local dev but blocks the demo→colleague hop the moment
the URL is shared via a tunnel.
Add an opt-in password gate via a single kwarg:
@fastdash(auth={"alice": "wonderland"})
def greet(name: str = "world") -> str:
return f"Hello, {name}!"
The new fast_dash/auth.py installs /login and /logout routes plus a
before_request gate that redirects unauthenticated visitors. Passwords
are compared in constant time via hmac.compare_digest. Dash's
internal endpoints (/_dash-*) return 401 when unauthenticated to stop
callback state from leaking. Sessions sign with FASTDASH_SECRET_KEY
when set, otherwise a per-process random key.
Two configuration shapes:
- dict {"username": "password"} for the simple case
- callable (username, password) -> bool for custom verification
against a hashed store
current_user() is exposed from the package root so callbacks can read
the signed-in username.
Tests cover 17 scenarios across five classes: disabled auth, dict
auth (login/logout/redirects/_dash-* blocking), callable verifier,
input validation, and current_user binding inside a request. Full
suite: 173 passing.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
The auth gate had /logout wired but no UI affordance — users had to type /logout into the URL bar. Add a "Sign out" button to the right side of the dmc header (just before the dark-mode toggle) that links to /logout. Rendered conditionally based on app._auth_config so the button is absent for apps without auth. Wrapped in html.A because dmc.Button doesn't support href directly. Three new tests cover: button present when auth is on, absent when auth is off, and the href points to /logout. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Owner
Author
|
Keeping this open as an active TODO. It's currently conflicting with Not merging or reworking the auth logic itself without a fresh requirements pass — auth is security-sensitive and the surface has drifted a lot since May. Flagging here so it's not silently stale. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds a single-kwarg password gate so Fast Dash apps shared via a tunnel aren't open to the public internet.
{username: password}dict, or a callable(username, password) -> boolfor custom verification (hashed stores, etc.)./login+/logoutroutes;before_requestmiddleware redirects unauthenticated visitors and blocks/\_dash-*so callback state can't leak.hmac.compare_digest).FASTDASH_SECRET_KEYenv var for restart-stable sessions; random per-process key otherwise.current_user()re-exported from the package root for callbacks to read the signed-in username.This is the smallest possible auth surface — covers the "share with a colleague behind a tunnel" case. OIDC (Google/GitHub/Microsoft) is a follow-up.
Test plan
tests/test_auth.pyacross 5 classes (disabled, dict auth, callable, validation, current_user)_dash-layoutreturns 401 when unauthenticated (callback state isolation)auth=..., confirm login flow in browser🤖 Generated with Claude Code