Merge pull request #143 from michaels0m/master

Adding user defined authentication function as parameter

Author: alexcjohnson

CHANGELOG.md

@@ -7,6 +7,7 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 ## [Unreleased]
 ### Changed
 - Uses flask `before_request` to protect all endpoints rather than protecting routes present at instantiation time
+- Allows user to use user-defined authorization python function instead of a dictionary/list of usernames and passwords
 
 ## [2.0.0] - 2023-03-10
 ### Removed

README.md

@@ -41,3 +41,20 @@ USER_PWD = {
 }
 BasicAuth(app, USER_PWD)
 ```
+
+One can also use an authorization python function instead of a dictionary/list of usernames and passwords:
+
+```python
+from dash import Dash
+from dash_auth import BasicAuth
+
+def authorization_function(username, password):
+    if (username == "hello") and (password == "world"):
+        return True
+    else:
+        return False
+
+
+app = Dash(__name__)
+BasicAuth(app, auth_func = authorization_function)
+```

dash_auth/basic_auth.py

@@ -1,5 +1,5 @@
 import base64
-from typing import Union
+from typing import Union, Callable
 import flask
 from dash import Dash
 
@@ -10,20 +10,35 @@ class BasicAuth(Auth):
     def __init__(
         self,
         app: Dash,
-        username_password_list: Union[list, dict],
+        username_password_list: Union[list, dict] = None,
+        auth_func: Callable = None
     ):
         """Add basic authentication to Dash.
 
         :param app: Dash app
         :param username_password_list: username:password list, either as a
             list of tuples or a dict
+        :param auth_func: python function accepting two string
+            arguments (username, password) and returning a
+            boolean (True if the user has access otherwise False).
         """
         Auth.__init__(self, app)
-        self._users = (
-            username_password_list
-            if isinstance(username_password_list, dict)
-            else {k: v for k, v in username_password_list}
-        )
+        self._auth_func = auth_func
+        if self._auth_func is not None:
+            if username_password_list is not None:
+                raise ValueError("BasicAuth can only use authorization "
+                                 "function (auth_func kwarg) or "
+                                 "username_password_list, it cannot use both.")
+        else:
+            if username_password_list is None:
+                raise ValueError("BasicAuth requires username/password map "
+                                 "or user-defined authorization function.")
+            else:
+                self._users = (
+                    username_password_list
+                    if isinstance(username_password_list, dict)
+                    else {k: v for k, v in username_password_list}
+                )
 
     def is_authorized(self):
         header = flask.request.headers.get('Authorization', None)
@@ -32,7 +47,14 @@ def is_authorized(self):
         username_password = base64.b64decode(header.split('Basic ')[1])
         username_password_utf8 = username_password.decode('utf-8')
         username, password = username_password_utf8.split(':', 1)
-        return self._users.get(username) == password
+        if self._auth_func is not None:
+            try:
+                return self._auth_func(username, password)
+            except Exception as e:
+                print(e)
+                return False
+        else:
+            return self._users.get(username) == password
 
     def login_request(self):
         return flask.Response(

dev-requirements.txt

@@ -2,3 +2,4 @@ dash[testing]>=2
 requests[security]
 flake8
 flask
+pytest

tests/test_basic_auth_integration_auth_func.py

@@ -0,0 +1,91 @@
+from dash import Dash, Input, Output, dcc, html
+import requests
+import pytest
+
+from dash_auth import basic_auth
+
+TEST_USERS = {
+    "valid": [
+        ["hello", "world"],
+        ["hello2", "wo:rld"]
+    ],
+    "invalid": [
+        ["hello", "password"]
+    ],
+}
+
+
+# Test using auth_func instead of TEST_USERS directly
+def auth_function(username, password):
+    if [username, password] in TEST_USERS["valid"]:
+        return True
+    else:
+        return False
+
+
+def test_ba002_basic_auth_login_flow(dash_br, dash_thread_server):
+    app = Dash(__name__)
+    app.layout = html.Div([
+        dcc.Input(id="input", value="initial value"),
+        html.Div(id="output")
+    ])
+
+    @app.callback(Output("output", "children"), Input("input", "value"))
+    def update_output(new_value):
+        return new_value
+
+    basic_auth.BasicAuth(app, auth_func=auth_function)
+
+    dash_thread_server(app)
+    base_url = dash_thread_server.url
+
+    def test_failed_views(url):
+        assert requests.get(url).status_code == 401
+        assert requests.get(url.strip("/") + "/_dash-layout").status_code == 401
+
+    test_failed_views(base_url)
+
+    for user, password in TEST_USERS["invalid"]:
+        test_failed_views(base_url.replace("//", f"//{user}:{password}@"))
+
+    # Test login for each user:
+    for user, password in TEST_USERS["valid"]:
+        # login using the URL instead of the alert popup
+        # selenium has no way of accessing the alert popup
+        dash_br.driver.get(base_url.replace("//", f"//{user}:{password}@"))
+
+        # the username:password@host url doesn"t work right now for dash
+        # routes, but it saves the credentials as part of the browser.
+        # visiting the page again will use the saved credentials
+        dash_br.driver.get(base_url)
+        dash_br.wait_for_text_to_equal("#output", "initial value")
+
+
+# Test incorrect initialization of BasicAuth
+def both_dict_and_func(dash_br, dash_thread_server):
+    app = Dash(__name__)
+    app.layout = html.Div([
+        dcc.Input(id="input", value="initial value"),
+        html.Div(id="output")
+    ])
+
+    basic_auth.BasicAuth(app, TEST_USERS["valid"], auth_func=auth_function)
+    return True
+
+
+def both_no_auth_func_or_dict(dash_br, dash_thread_server):
+    app = Dash(__name__)
+    app.layout = html.Div([
+        dcc.Input(id="input", value="initial value"),
+        html.Div(id="output")
+    ])
+    basic_auth.BasicAuth(app)
+    return True
+
+
+def test_ba003_basic_auth_login_flow(dash_br, dash_thread_server):
+    with pytest.raises(ValueError):
+        both_dict_and_func(dash_br, dash_thread_server)
+    with pytest.raises(ValueError):
+        both_no_auth_func_or_dict(dash_br, dash_thread_server)
+    return

usage.py

@@ -6,12 +6,24 @@
     'hello': 'world'
 }
 
+
+# Authorization function defined by developer
+# (can be used instead of VALID_USERNAME_PASSWORD_PAIRS [Example 2 below])
+def authorization_function(username, password):
+    if (username == "hello") and (password == "world"):
+        return True
+    else:
+        return False
+
+
 external_stylesheets = ['https://codepen.io/chriddyp/pen/bWLwgP.css']
 app = Dash(__name__, external_stylesheets=external_stylesheets)
-auth = dash_auth.BasicAuth(
-    app,
-    VALID_USERNAME_PASSWORD_PAIRS
-)
+
+# Example 1 (using username/password map)
+auth = dash_auth.BasicAuth(app, VALID_USERNAME_PASSWORD_PAIRS)
+
+# Example 2 (using authorization function)
+# auth = dash_auth.BasicAuth(app, auth_func=authorization_function)
 
 app.layout = html.Div([
     html.H1('Welcome to the app'),