Shared Cognito authentication library for FastAPI + Jinja2 web apps

Navigation

Verified details

These details have been verified by PyPI
Maintainers
Avatar for daylilyifx from gravatar.com daylilyifx

Unverified details

These details have not been verified by PyPI
Project links
Meta
Classifiers
Report project as malware

Project description

Release Tag CI

daylily-cognito

daylily-cognito is the shared Cognito/auth library and operational CLI for the stack. It gives service repos a common way to model pool/app context, build FastAPI auth helpers, and manage Cognito pools, clients, users, groups, and optional Google IdP configuration without each repo inventing its own wrapper.

daylily-cognito owns:

  • reusable Cognito configuration objects
  • shared auth helpers for FastAPI integrations
  • shared Hosted UI browser-session helpers for cookie-backed web login
  • the daycog operational CLI for pool/app/user/group flows
  • Google IdP support and context/config synchronization

daylily-cognito does not own:

  • a product’s session UI or page composition
  • product-specific RBAC semantics
  • non-Cognito identity providers beyond its supported helpers

Component View

flowchart LR
    Apps["FastAPI apps"] --> Lib["daylily-cognito library"]
    Operators["daycog CLI"] --> Lib
    Lib --> Cognito["AWS Cognito"]
    Lib --> Google["optional Google OAuth IdP"]

Prerequisites

  • Python 3.9+
  • AWS credentials/profile for any live Cognito management
  • optional auth extra for JWT verification support
  • optional Google OAuth client JSON for Google IdP flows

Getting Started

Quickstart: Local Library Use

pip install -e ".[auth]"

from daylily_cognito import CognitoConfig, CognitoAuth

config = CognitoConfig(
    name="myapp",
    region="us-west-2",
    user_pool_id="us-west-2_XXXXXXXXX",
    app_client_id="XXXXXXXXXXXXXXXXXXXXXXXXXX",
)
config.validate()

auth = CognitoAuth(
    region=config.region,
    user_pool_id=config.user_pool_id,
    app_client_id=config.app_client_id,
)

Quickstart: Hosted UI Browser Sessions

from typing import Optional

from daylily_cognito import (
    CognitoWebAuthError,
    CognitoWebSessionConfig,
    SessionPrincipal,
    complete_cognito_callback,
    configure_session_middleware,
    load_session_principal,
    start_cognito_login,
)

web_config = CognitoWebSessionConfig(
    domain="myapp.auth.us-west-2.amazoncognito.com",
    client_id="client-id",
    redirect_uri="https://localhost:8912/auth/callback",
    logout_uri="https://localhost:8912/auth/logout",
    public_base_url="https://localhost:8912",
    session_secret_key="change-me",
    session_cookie_name="myapp_session",
    server_instance_id="server-instance-1",
)

configure_session_middleware(app, web_config)

@router.get("/auth/login")
async def auth_login(request: Request):
    return start_cognito_login(request, web_config, request.query_params.get("next"))

@router.get("/auth/callback")
async def auth_callback(request: Request, code: Optional[str] = None, state: Optional[str] = None):
    async def resolve_principal(tokens: dict, request: Request) -> SessionPrincipal:
        claims = verify_claims_somehow(tokens)
        return SessionPrincipal(
            user_sub=claims["sub"],
            email=claims["email"],
            roles=["reader"],
            cognito_groups=claims.get("cognito:groups", []),
            app_context={"tenant_id": claims.get("custom:tenant_id")},
        )

    try:
        return await complete_cognito_callback(request, web_config, code, state, resolve_principal)
    except CognitoWebAuthError as exc:
        return RedirectResponse(f"/auth/error?reason={exc.reason}", status_code=302)

@router.get("/me")
async def me(request: Request):
    principal = load_session_principal(request)
    if principal is None:
        raise HTTPException(status_code=401)
    return principal

The browser-session contract enforces:

  • explicit service-specific cookie names
  • SameSite=Lax
  • https_only derived from the public base URL
  • strict OAuth state validation
  • normalized session principals without raw OAuth tokens
  • restart invalidation through server_instance_id

Quickstart: Hosted UI Browser Sessions

from fastapi import FastAPI, Request
from daylily_cognito import (
    CognitoWebSessionConfig,
    SessionPrincipal,
    complete_cognito_callback,
    configure_session_middleware,
    load_session_principal,
    start_cognito_login,
)

app = FastAPI()
web_config = CognitoWebSessionConfig(
    domain="example.auth.us-west-2.amazoncognito.com",
    client_id="client-id",
    redirect_uri="https://localhost:8912/auth/callback",
    logout_uri="https://localhost:8912/auth/logout",
    public_base_url="https://localhost:8912",
    session_cookie_name="example_session",
    session_secret_key="replace-me",
    server_instance_id="server-instance-id",
)
configure_session_middleware(app, web_config)

@app.get("/auth/login")
async def auth_login(request: Request, next: str = "/"):
    return start_cognito_login(request, web_config, next)

@app.get("/auth/callback")
async def auth_callback(request: Request, code: str = "", state: str = ""):
    async def resolve_principal(tokens: dict, request: Request) -> SessionPrincipal:
        del request
        return SessionPrincipal(
            user_sub="user-sub",
            email="user@example.com",
            roles=["USER"],
            app_context={"tenant_id": "tenant-1"},
        )

    return await complete_cognito_callback(request, web_config, code, state, resolve_principal)

@app.get("/me")
async def me(request: Request):
    principal = load_session_principal(request)
    return {"principal": principal.to_session_dict() if principal else None}

Shared browser-session helpers enforce:

  • explicit, non-default cookie names
  • SameSite=Lax
  • secure cookies whenever the public base URL is HTTPS
  • strict OAuth state validation
  • normalized session principals without raw OAuth tokens
  • session invalidation when the server instance changes

Quickstart: CLI Workflow

source ./activate
daycog --help
daycog status

Creating or mutating pools, apps, or users is a live AWS operation. Treat daycog setup, add-app, delete-pool, and similar commands as stateful actions.

Architecture

Technology

  • Python library for Cognito config/auth helpers
  • Typer-based daycog CLI
  • optional JWT verification helpers
  • optional Google IdP integration

Core Model

The repo revolves around:

  • Cognito config contexts
  • user pools
  • app clients
  • users and groups
  • environment-variable and config-file loading patterns
  • optional Google OAuth IdP wiring

Runtime Shape

  • library package: daylily_cognito
  • CLI entrypoint: daycog
  • common workflows: context/config inspection, pool/app creation, app management, user/group operations, Google IdP setup

Cost Estimates

Approximate only.

  • Local-only development with mocked or existing config: near-zero direct cost.
  • Live AWS use depends on Cognito usage, domains, MAU, and any external IdP posture; dev/test tends to be modest compared with a full application environment.

Development Notes

  • Canonical local entry path: source ./activate
  • Use daycog ... as the primary operational interface
  • Prefer config contexts or namespaced environment variables over ad hoc per-app auth glue

Useful checks:

source ./activate
daycog --help
pytest -q

Sandboxing

  • Safe: docs work, code reading, tests, config inspection, daycog --help, and local config-file work
  • Requires extra care: any command that creates, edits, or deletes Cognito pools, apps, users, groups, or domains

Current Docs

References

Project details

Verified details

These details have been verified by PyPI
Maintainers
Avatar for daylilyifx from gravatar.com daylilyifx

Unverified details

These details have not been verified by PyPI
Project links
Meta
Classifiers

Release history Release notifications | RSS feed

1.2.0

1.1.7

1.1.6

1.1.5

1.1.4

1.1.3

1.1.0

1.0.8

1.0.2

1.0.1

1.0.0

0.4.5

0.4.3

0.4.2

This version

0.4.1

0.4.0

0.3.0

0.2.0

0.1.33

0.1.32

0.1.31

0.1.30

0.1.29

0.1.28

0.1.27

0.1.26

0.1.25

0.1.24

0.1.23

0.1.22

0.1.21

0.1.20

0.1.20.dev0 pre-release

0.1.18

0.1.17

0.1.16

0.1.15

0.1.13

0.1.10

0.1.8

0.1.5

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

daylily_cognito-0.4.1.tar.gz (82.0 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

daylily_cognito-0.4.1-py3-none-any.whl (51.0 kB view details)

Uploaded Python 3

File details

Details for the file daylily_cognito-0.4.1.tar.gz.

File metadata

  • Download URL: daylily_cognito-0.4.1.tar.gz
  • Upload date:
  • Size: 82.0 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.14.2

File hashes

Hashes for daylily_cognito-0.4.1.tar.gz
Algorithm Hash digest
SHA256 7d71f6f8df357b27c8d3ece3aabd4d0fd838e8ee97e085cc0975a6bdc35d037b
MD5 307b9c5b8b3921d488ed56d9064d76d0
BLAKE2b-256 13ec608bb13671df3c3ce1f4562529f1a5bcb258ed0d7bb670ce06e488ac3753

See more details on using hashes here.

File details

Details for the file daylily_cognito-0.4.1-py3-none-any.whl.

File metadata

File hashes

Hashes for daylily_cognito-0.4.1-py3-none-any.whl
Algorithm Hash digest
SHA256 caf72681b44b3ac58be6a0c495d662be2beb208944bf93489a9e6e424e3796bc
MD5 61dbb787593ce48645a93f290afc6cb8
BLAKE2b-256 4f7dd3ff14956d137fd602cf507a6f0a1f44181e472a5edf4c7fd97b8bacdf1f

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page