Hey thank you for the package, I'm still trying it out the login works fine, this is maybe related heavily to the package but I have some errors raising due to the use of sqlalchemy session, any help is welcome.

I'm trying to pass extra parameters to def load_user(email: str) like this

@auth_manager.user_loader def load_user(email: str, db: Session): user = actions.user.get_by_email(db=db, email=email) return user

i'm passing an sqlalchemy db session to the load_user function which like as said before, works fine on /auth/token, the token is generated. the error raise when trying to access routes protected by the manager:

fastapi_login/fastapi_login.py", line 140 load_user() missing 1 required positional argument: 'db'

is there a way to make the second parameter optional ?

My program was developed based on fastapi_login==1.6.2

Today, I upgrade fastapi_login to the latest version: 1.7.0. When I login, it raises error.

some of the error code:

2021-09-23 14:58:04 | TypeError: the first argument must be callable
-- | --
  |   | 2021-09-23 14:58:04 | self._user_callback = ordered_partial(callback, *args, **kwargs)
  |   | 2021-09-23 14:58:04 | File "/usr/local/lib/python3.8/site-packages/fastapi_login/fastapi_login.py", line 147, in decorator
  |   | 2021-09-23 14:58:04 | user = load_user(name)

The function user_loader in fastapi_login.py of version 1.6.2 is:

    def user_loader(self, callback: Union[Callable, Awaitable]) -> Union[Callable, Awaitable]:
        self._user_callback = callback
        return callback

However, In the latest version, it becomes to:

def user_loader(self, *args, **kwargs) -> Union[Callable, Awaitable]:
        def decorator(callback: Union[Callable, Awaitable]):
            """
            The actual setter of the load_user callback
            Args:
                callback (Callable or Awaitable): The callback which returns the user
            Returns:
                Partial of the callback with given args and keyword arguments already set
            """
            self._user_callback = ordered_partial(callback, *args, **kwargs)
        return decorator

You add the function ordered_partial here cause my problem. But When I refer to the release note, I did not find any notice for this change, only find a pull request note in #56 . It seems that your code is not backwards compatible. @MushroomMaula

Hi!

I think I have found a bug in the login with cookies. I always got 401 error, so I started to dig down in the script. Finally I have found the problem and the "hotfix" solution. Well: The byte array somewhere will be converted into string so in the cookie the b' * ' identifiers are remamining in the cookie and the jwt parser can not parse the data. For example: Token (cookie):

b'eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJtbWFyayIsImV4cCI6MTYzMzUzMzU2OH0.NQzZOhaA0hyQBd8gLuLbs7zRaJfbgYLADwLJtPDEUWw'

If I cuted down the first two byte and the last byte the decode works like a charm. Cutted token:

eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJtbWFyayIsImV4cCI6MTYzMzUzMzU2OH0.NQzZOhaA0hyQBd8gLuLbs7zRaJfbgYLADwLJtPDEUWw

Have you experienced this error?

Hey there,

I am getting an error on 1.7.2 when importing from fastapi_login import LoginManager, the result I get is:

  File "/usr/local/lib/python3.7/dist-packages/fastapi_login/utils.py", line 11
    def __call__(self, /, *args, **keywords):
                       ^
SyntaxError: invalid syntax

Not sure if the /, is just a placeholder and has not been updated?

Also, how do I pass on args for the user_loader? In the docs it says:

>>> @manager.user_loader(...)  # Arguments and keyword arguments declared here are passed on
>>> def get_user(user_identifier, ...):
...     # get user logic here

Can you give an example? I am not sure if the below would be correct?

@manager.user_loader(session: Session = Depends(get_session))
def get_user_by_email(email: str, db: session):
    user = db.query(Hero).filter(Hero.email == email).first()
    return user

Regards

Hello, how would I go about enforcing authorization? For example specific roles and permissions. I currently do this by not showing menus but that still leaves the endpoints open if the user knows the URL to enter to access a given page. I would like to enforce this when the request is be sent just like Authentication but this time for specific Authorization. I am not sure where is the best to handle this? I was thinking in the user_loader function and raise an exception if the user is not authorized even though authenticated for a given route/request.

Thanks in advanced!

I implemented SymmetricSecret and AsymmetricSecret, and drop replace it.

New tests all passed, and fully covered.

I am poor in English, so docs remain old.

I was wondering if you had any plans to add refresh token support?

I would like to have a short time which the access token is valid and have the ability to refresh the access token once it expires.

I was also wondering if you've thought about adding cookie support so that cookies would be set by FastAPI in a similar way to how flask-jwt-extended does things: https://flask-jwt-extended.readthedocs.io/en/stable/tokens_in_cookies/

LoginManager only accept single secret parameter in str type, how can it use private key to sign and public key to verify?

It seems only possible solution is using two different instances?

sign_manager = LoginManager(secret=private_key, ...)
verify_manager = LoginManager(secret=public_key, ...)

token = sign_manager.create_access_token(...)
payload = verify_manager._get_payload(token)

Or i am misunderstanding?

As stated, I can login fine, but when I try to protect a route:

TypeError: get_by_email() missing 1 required positional argument: 'email'

My function to retrieve the user:

@classmethod
@manager.user_loader()
async def get_by_email(cls, email) -> 'UserModel':
    return await engine.find_one(cls, cls.email == email)

Login:

@router.post('/login')
async def login(data: OAuth2PasswordRequestForm = Depends()):
    from app.models.user import UserModel

    email = data.username
    password = data.password

    user = await UserModel.get_by_email(email)
    if not user:
        raise InvalidCredentialsException
    elif verify_password(password, user.password):
        raise InvalidCredentialsException

    access_token = manager.create_access_token(
        data={'sub': email}, expires=timedelta(days=365)
    )
    return {'token': access_token}

Protected Route:

@router.post('/user/watcher')
async def create_watcher(watcher: Watcher, user=Depends(manager)):
    await user.add_watcher(**watcher.dict())

What am I missing here?

I'm trying to create a login page using jinja2.

File "./main.py", line 37, in login
  manager.set_cookie(resp,access_token)

AttributeError: 'LoginManager' object has no attribute 'set_cookie'

What should I do?

from fastapi import FastAPI,Depends
from fastapi.responses import RedirectResponse,HTMLResponse
from fastapi.security import OAuth2PasswordRequestForm
from fastapi_login.exceptions import InvalidCredentialsException
from fastapi.templating import Jinja2Templates
from fastapi_login import LoginManager
import os

SECRET = "your-secret-key"
fake_db = {'[email protected]': {'password': 'hunter2'}}
manager = LoginManager(SECRET, tokenUrl='/auth/token')

app = FastAPI()

pth = os.path.dirname(__file__)
templates = Jinja2Templates(directory=os.path.join(pth, "templates"))

@manager.user_loader
def load_user(email: str):  # could also be an asynchronous function
    user = fake_db.get(email)
    return user

@app.post('/auth/token')
def login(data: OAuth2PasswordRequestForm = Depends()):
    email = data.username
    password = data.password

  user = load_user(email)  # we are using the same function to retrieve the user
  if not user:
      raise InvalidCredentialsException  # you can also use your own HTTPException
  elif password != user['password']:
      raise InvalidCredentialsException
  
  access_token = manager.create_access_token(
      data=dict(sub=email)
  )
  
  resp = RedirectResponse(url="/protected")
  manager.set_cookie(resp,access_token)
  return resp
  # return {'access_token': access_token, 'token_type': 'bearer'}

@app.get('/protected')
def protected_route(user=Depends(manager)):
    with open(os.path.join(pth, "templates/protectedpage.html")) as f:
        return HTMLResponse(content=f.read())


@app.get("/",response_class=HTMLResponse)
def loginwithCreds():
    with open(os.path.join(pth, "templates/login.html")) as f:
        return HTMLResponse(content=f.read())

I tried multiple times using this library, but it doesn't seem to work. When I generate the access token, I also do response.set_cookie to save it for the current session. The library correctly retrieves the cookie at the next request, but (I tested it) fastapi.security.utils.get_authorization_scheme_param returns '' as the second parameter of its tuple, which I guess means the provided jwt is invalid, but the access token comes directly from create_access_token! Also, the __call__ method checks if token is not None, but it should actually be if not token, because otherwise weird stuff happens (the custom not authenticated exception is ignored). That's because token equals an empty string, not None

Hi, great package. Is there a way to get the current user without throwing the NotAuthenticatedException. Just get the user or None in my case

Writing a custom auth_exception_handler doesn't cut it for me because it expects a callable to be returned so I can't return None. This might look trivial but in the case where I'm building a web app and my responses class are templates not jsonresponses so returning a jsonresponse also doesn't help because internally fastapi_login just returns that to the browser instead of passing that as a return value from calling get_current_user. What I'm saying in essence is when I call

   ` user = await manager.get_current_user(token=request.cookies.get('token'))`

I should get a value for user from the above, whether that be a user object, None, Jsonresponse. Not currently where I only get a user or nothing else(an exception that I can't control or customize)

Bumps certifi from 2022.9.24 to 2022.12.7.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Hi, if user loader is using sync db connection and the def function, it will run in the main thread and block the main thread from receiving any request. So it the def function should be run in worker thread instead.

Hi,

Thanks for the fastapi_login package.

I have noticed what I think is some odd behavior. I set up the middleware as suggested to populate the request.state.user object. But I noticed that I was not getting the user information even though there was a valid cookie with the token...

So I switched to using user=Depends(auth_manager) on my endpoints that require a login and I have not seen a problem since...

Is this a known problem? Is there anything that I could have messed up in my code that would cause this kind of behavior? Is there some logging debugging I can turn on to provide additional data?

I also go in depth about some things I've found out about JWT's and your fastapi-login module whilst using it, these are some things I wish I knew whilst developping, so I'm putting it here for future reference. 👍