Shared Cognito authentication library for FastAPI + Jinja2 web apps

Navigation

Verified details

These details have been verified by PyPI
Maintainers
Avatar for daylilyifx from gravatar.com daylilyifx

Unverified details

These details have not been verified by PyPI
Project links
Meta
Classifiers
Report project as malware

Project description

Release Tag CI

daylily-cognito

daylily-cognito is the shared Cognito/auth library and operational CLI for the stack. It gives service repos a common way to model pool/app context, build FastAPI auth helpers, and manage Cognito pools, clients, users, groups, and optional Google IdP configuration without each repo inventing its own wrapper.

daylily-cognito owns:

  • reusable Cognito configuration objects
  • shared auth helpers for FastAPI integrations
  • shared Hosted UI browser-session helpers for cookie-backed web login
  • the daycog operational CLI for pool/app/user/group flows
  • Google IdP support and context/config synchronization

daylily-cognito does not own:

  • a product’s session UI or page composition
  • product-specific RBAC semantics
  • non-Cognito identity providers beyond its supported helpers

Component View

flowchart LR
    Apps["FastAPI apps"] --> Lib["daylily-cognito library"]
    Operators["daycog CLI"] --> Lib
    Lib --> Cognito["AWS Cognito"]
    Lib --> Google["optional Google OAuth IdP"]

Prerequisites

  • Python 3.9+
  • AWS credentials/profile for any live Cognito management
  • optional auth extra for JWT verification support
  • optional Google OAuth client JSON for Google IdP flows

Getting Started

Quickstart: Local Library Use

pip install -e ".[auth]"

from daylily_cognito import CognitoConfig, CognitoAuth

config = CognitoConfig(
    name="myapp",
    region="us-west-2",
    user_pool_id="us-west-2_XXXXXXXXX",
    app_client_id="XXXXXXXXXXXXXXXXXXXXXXXXXX",
)
config.validate()

auth = CognitoAuth(
    region=config.region,
    user_pool_id=config.user_pool_id,
    app_client_id=config.app_client_id,
)

Quickstart: Hosted UI Browser Sessions

from typing import Optional

from daylily_cognito import (
    CognitoWebAuthError,
    CognitoWebSessionConfig,
    SessionPrincipal,
    complete_cognito_callback,
    configure_session_middleware,
    load_session_principal,
    start_cognito_login,
)

web_config = CognitoWebSessionConfig(
    domain="myapp.auth.us-west-2.amazoncognito.com",
    client_id="client-id",
    redirect_uri="https://localhost:8912/auth/callback",
    logout_uri="https://localhost:8912/auth/logout",
    public_base_url="https://localhost:8912",
    session_secret_key="change-me",
    session_cookie_name="myapp_session",
    server_instance_id="server-instance-1",
)

configure_session_middleware(app, web_config)

@router.get("/auth/login")
async def auth_login(request: Request):
    return start_cognito_login(request, web_config, request.query_params.get("next"))

@router.get("/auth/callback")
async def auth_callback(request: Request, code: Optional[str] = None, state: Optional[str] = None):
    async def resolve_principal(tokens: dict, request: Request) -> SessionPrincipal:
        claims = verify_claims_somehow(tokens)
        return SessionPrincipal(
            user_sub=claims["sub"],
            email=claims["email"],
            roles=["reader"],
            cognito_groups=claims.get("cognito:groups", []),
            app_context={"tenant_id": claims.get("custom:tenant_id")},
        )

    try:
        return await complete_cognito_callback(request, web_config, code, state, resolve_principal)
    except CognitoWebAuthError as exc:
        return RedirectResponse(f"/auth/error?reason={exc.reason}", status_code=302)

@router.get("/me")
async def me(request: Request):
    principal = load_session_principal(request)
    if principal is None:
        raise HTTPException(status_code=401)
    return principal

The browser-session contract enforces:

  • explicit service-specific cookie names
  • SameSite=Lax
  • https_only derived from the public base URL
  • strict OAuth state validation
  • normalized session principals without raw OAuth tokens
  • restart invalidation through server_instance_id

Quickstart: Hosted UI Browser Sessions

from fastapi import FastAPI, Request
from daylily_cognito import (
    CognitoWebSessionConfig,
    SessionPrincipal,
    complete_cognito_callback,
    configure_session_middleware,
    load_session_principal,
    start_cognito_login,
)

app = FastAPI()
web_config = CognitoWebSessionConfig(
    domain="example.auth.us-west-2.amazoncognito.com",
    client_id="client-id",
    redirect_uri="https://localhost:8912/auth/callback",
    logout_uri="https://localhost:8912/auth/logout",
    public_base_url="https://localhost:8912",
    session_cookie_name="example_session",
    session_secret_key="replace-me",
    server_instance_id="server-instance-id",
)
configure_session_middleware(app, web_config)

@app.get("/auth/login")
async def auth_login(request: Request, next: str = "/"):
    return start_cognito_login(request, web_config, next)

@app.get("/auth/callback")
async def auth_callback(request: Request, code: str = "", state: str = ""):
    async def resolve_principal(tokens: dict, request: Request) -> SessionPrincipal:
        del request
        return SessionPrincipal(
            user_sub="user-sub",
            email="user@example.com",
            roles=["USER"],
            app_context={"tenant_id": "tenant-1"},
        )

    return await complete_cognito_callback(request, web_config, code, state, resolve_principal)

@app.get("/me")
async def me(request: Request):
    principal = load_session_principal(request)
    return {"principal": principal.to_session_dict() if principal else None}

Shared browser-session helpers enforce:

  • explicit, non-default cookie names
  • SameSite=Lax
  • secure cookies whenever the public base URL is HTTPS
  • strict OAuth state validation
  • normalized session principals without raw OAuth tokens
  • session invalidation when the server instance changes

Quickstart: CLI Workflow

source ./activate
daycog --help
daycog status

Creating or mutating pools, apps, or users is a live AWS operation. Treat daycog setup, add-app, delete-pool, and similar commands as stateful actions.

Architecture

Technology

  • Python library for Cognito config/auth helpers
  • Typer-based daycog CLI
  • optional JWT verification helpers
  • optional Google IdP integration

Core Model

The repo revolves around:

  • Cognito config contexts
  • user pools
  • app clients
  • users and groups
  • environment-variable and config-file loading patterns
  • optional Google OAuth IdP wiring

Runtime Shape

  • library package: daylily_cognito
  • CLI entrypoint: daycog
  • common workflows: context/config inspection, pool/app creation, app management, user/group operations, Google IdP setup

Cost Estimates

Approximate only.

  • Local-only development with mocked or existing config: near-zero direct cost.
  • Live AWS use depends on Cognito usage, domains, MAU, and any external IdP posture; dev/test tends to be modest compared with a full application environment.

Development Notes

  • Canonical local entry path: source ./activate
  • Use daycog ... as the primary operational interface
  • Prefer config contexts or namespaced environment variables over ad hoc per-app auth glue

Useful checks:

source ./activate
daycog --help
pytest -q

Sandboxing

  • Safe: docs work, code reading, tests, config inspection, daycog --help, and local config-file work
  • Requires extra care: any command that creates, edits, or deletes Cognito pools, apps, users, groups, or domains

Current Docs

References

Project details

Verified details

These details have been verified by PyPI
Maintainers
Avatar for daylilyifx from gravatar.com daylilyifx

Unverified details

These details have not been verified by PyPI
Project links
Meta
Classifiers

Release history Release notifications | RSS feed

1.2.0

1.1.7

1.1.6

1.1.5

1.1.4

1.1.3

1.1.0

1.0.8

1.0.2

1.0.1

1.0.0

0.4.5

0.4.3

0.4.2

0.4.1

This version

0.4.0

0.3.0

0.2.0

0.1.33

0.1.32

0.1.31

0.1.30

0.1.29

0.1.28

0.1.27

0.1.26

0.1.25

0.1.24

0.1.23

0.1.22

0.1.21

0.1.20

0.1.20.dev0 pre-release

0.1.18

0.1.17

0.1.16

0.1.15

0.1.13

0.1.10

0.1.8

0.1.5

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

daylily_cognito-0.4.0.tar.gz (81.7 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

daylily_cognito-0.4.0-py3-none-any.whl (51.1 kB view details)

Uploaded Python 3

File details

Details for the file daylily_cognito-0.4.0.tar.gz.

File metadata

  • Download URL: daylily_cognito-0.4.0.tar.gz
  • Upload date:
  • Size: 81.7 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.14.2

File hashes

Hashes for daylily_cognito-0.4.0.tar.gz
Algorithm Hash digest
SHA256 1772a19926dee7e9fee254677d8e0d49d373a071166bfd577de1c20add23f695
MD5 52ec70ca2544e09c8c6e391bc8203247
BLAKE2b-256 34ee1c0e1a92709990c2e1acd0868d48848f2fd48bdfd020352baec51cf50279

See more details on using hashes here.

File details

Details for the file daylily_cognito-0.4.0-py3-none-any.whl.

File metadata

File hashes

Hashes for daylily_cognito-0.4.0-py3-none-any.whl
Algorithm Hash digest
SHA256 6bc27622b322fbf22d04f57b58e198270da1d058d0d6767ea899b56b917f1075
MD5 13f92189e09ea200f44c22891d51df70
BLAKE2b-256 5985e65318ced2e73e0f3b366d012527017e73d10b0a58ccfd556db5a1f72ceb

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page