Skip to main content

User Authentication plugin for Fastpluggy

Project description

Auth User Plugin

Auth User Release Pipeline Status Coverage

The Auth User plugin provides comprehensive user authentication and management functionality for FastPluggy applications.

📊 Current Status

✅ PRODUCTION READY FEATURES:

  • Complete admin interface for user management (CRUD operations)
  • User authentication with secure password hashing
  • Session management with configurable expiration
  • User profile pages with authentication protection
  • Automatic admin user creation on first install
  • Menu integration for user functions

⚠️ PARTIALLY IMPLEMENTED:

  • Login routes (exist but commented out - ready for activation)

📋 ROADMAP: See Implementation Roadmap for detailed development plan.

Features

  • User Authentication: Secure username/password authentication with BCrypt hashing
  • Admin Interface: Complete user management with list, add, edit functionality
  • Session Management: Configurable session handling with JSON data storage
  • User Profiles: Protected profile pages for authenticated users
  • Menu Integration: Automatic menu items for profile and logout
  • Template System: Jinja2 templates for login and profile pages
  • Database Integration: SQLAlchemy models with FastPluggy core

Models

FastPluggyBaseUser

The main user model with the following fields:

  • username: Unique username (String, 255 chars)
  • hashed_password: Securely hashed password (String, 255 chars)
  • is_admin: Boolean flag indicating admin privileges (default: False)

Session

Session management model for user authentication:

  • session_id: Unique session identifier (String, 255 chars)
  • session_data: JSON data stored in the session
  • session_lifetime: Session expiration timestamp
  • session_time: Session creation timestamp
  • ip: Client IP captured at login (nullable; only set when collect_login_ip is enabled)
  • user_agent: Raw User-Agent captured at login (nullable)
  • last_seen_at: Last activity timestamp, refreshed (throttled) on authenticated requests (nullable)

Session management

Both authenticated users and admins can review and revoke sessions:

  • Self-serviceGET /profile/sessions/ lists the current user's active sessions with device (heuristic User-Agent parse), IP, relative last-seen, created/expires. Revoke a single session or "revoke all other sessions". The IP column is hidden entirely when collect_login_ip is disabled.
  • Admin-wideGET /admin/users/sessions/ (requires the fp_admin role) lists every active session across all users with a username filter, and can revoke any individual session or all of a given user's sessions.

last_seen_at is refreshed inside the authentication path but throttled to at most one write per session_last_seen_throttle seconds, and is wrapped so a tracking failure can never break authentication. Set session_track_metadata to false to disable User-Agent capture and last-seen tracking entirely.

Configuration

The plugin uses AuthUserConfig class with the following settings:

from fastpluggy.core.config import BaseDatabaseSettings
from typing import Optional, Literal

class AuthUserConfig(BaseDatabaseSettings):
    # Set to None to enable UI-based setup on first install
    # If None, admin user creation will be handled via setup UI
    default_admin_username: Optional[str] = None
    default_admin_password: Optional[str] = None

    # Auth backend: "session" (cookies + tokens + login redirect) or "basic" (HTTP Basic popup)
    auth_backend: Literal["session", "basic"] = "session"

    login_template: str = 'auth_user/login.html'
    collect_login_ip: bool = True
    allow_api_tokens: bool = True  # set to False to disable personal access tokens globally

    # Per-session metadata (device / IP / last-seen on the sessions pages)
    session_track_metadata: bool = True   # capture user-agent + refresh last_seen_at
    session_last_seen_throttle: int = 60  # min seconds between last_seen_at writes
Setting Default Effect
collect_login_ip True Capture client IP at login; gates the IP column on the sessions pages
session_track_metadata True Capture User-Agent at login and refresh last_seen_at on activity
session_last_seen_throttle 60 Minimum seconds between last_seen_at writes (keeps the auth path cheap)

Auth backends

Backend auth_backend How it works
Session (default) "session" Cookie-based sessions + Bearer tokens + HTTP Basic with __token__ (pip/twine). Redirects to login page on auth failure.
Basic "basic" HTTP Basic authentication only. Triggers browser popup on auth failure.

The auth backend is configurable via environment variable or database settings:

AUTH_USER_AUTH_BACKEND=basic  # or "session" (default)

Admin User Setup

The plugin provides intelligent admin user setup with two approaches:

🎯 Recommended: UI-Based Setup (Default)

By default, default_admin_username and default_admin_password are set to None, which enables the setup UI:

  1. First Install: When no users exist, visit /setup/ to create the first admin user
  2. Secure: No hardcoded credentials - you choose the username and password
  3. User-Friendly: Clean web interface with validation and error handling
  4. Automatic Detection: The system automatically detects when setup is needed

🔧 Alternative: Automatic Creation with Configured Credentials

If you prefer automatic admin creation, configure default credentials:

# In your environment or config
default_admin_username = "your_admin_username"
default_admin_password = "your_secure_password"

When configured, the plugin will automatically create the admin user on first startup.

📋 Setup Process

  1. Plugin Load: System checks if any users exist
  2. If No Users:
    • With configured credentials: Automatically creates admin user
    • Without credentials (default): Logs message to visit /setup/
  3. Setup UI: Visit /setup/ to create admin user with custom credentials
  4. Redirect: After successful setup, redirects to login page

🔍 Setup Status Check

You can check if setup is needed programmatically:

from fastpluggy_plugin.auth_user.src.repository import needs_initial_setup
from fastpluggy.core.database import get_db

if needs_initial_setup(get_db()):
    print("Setup required - visit /setup/")
else:
    print("Admin user exists")

Routes

Setup Routes

  • GET /setup/ - Initial admin user setup page (only accessible when no users exist)
  • POST /setup/ - Process admin user creation form
  • GET /setup/check - API endpoint to check if setup is needed

Authentication Routes

  • GET /logout - Logout user and clear session

Profile Routes

  • GET /profile/ - User profile page (requires authentication)

Menu Integration

The plugin automatically adds the following menu items:

  • Profile (/profile/) - User profile page
  • Logout (/logout) - Logout functionality

Templates

The plugin expects the following Jinja2 templates:

  • auth_user/profile.html.j2 - User profile page template
  • auth_user/login.html.j2 - Login page template (referenced in config)

Usage

  1. Install the plugin — it is auto-discovered via the fastpluggy.plugins entry point
  2. Auth is auto-wired — the plugin calls fast_pluggy.set_auth_manager() during on_load_complete, so you do not need to pass auth_manager= to FastPluggy(). Just FastPluggy(app) is enough.
  3. First run — visit /setup/ to create the first admin user (or set default_admin_username / default_admin_password in config for automatic creation)
  4. Profile — authenticated users can manage their profile at /profile/

If you pass auth_manager= explicitly to FastPluggy(), the plugin respects it and does not override.

Personal Access Tokens

Users can create long-lived API tokens for programmatic access (CI/CD, pip, twine, scripts).

Managing tokens

Tokens are managed via the UI at /tokens/:

  • Create a token with a name and optional expiry (in days)
  • The raw token value is shown once — copy it immediately
  • Revoke any token at any time

Using tokens — API clients (Bearer)

Authorization: Bearer <your-token>

Any endpoint protected by require_authentication accepts this header.

Using tokens — pip / twine (HTTP Basic)

pip and twine use HTTP Basic auth. Use __token__ as the username and your token as the password:

# pip install
pip install --index-url https://__token__:<your-token>@registry.fastpluggy.xyz/pypi/simple/ my-package

# twine upload
twine upload --repository-url https://registry.fastpluggy.xyz/pypi/ \
  -u __token__ -p <your-token> dist/*

Or configure ~/.pypirc:

[fastpluggy]
repository = https://registry.fastpluggy.xyz/pypi/
username = __token__
password = <your-token>

SessionAuthManager detects the __token__ username in Basic auth headers and validates the password as a personal access token (SHA256 hash lookup), so no separate auth scheme is needed for pip/twine.

Token model

Field Description
name User-friendly label
token_hash SHA256 of the raw token (never stored in plaintext)
expires_at Optional expiry timestamp
last_used_at Updated on every successful use

Security Notes

  • Passwords are securely hashed using BCrypt (BasicAuthManager.hash_password())
  • Sessions are managed with configurable lifetime (default: 1 hour)
  • Admin privileges are controlled via the is_admin boolean field
  • API tokens are stored as SHA256 hashes (never in plaintext)
  • Important: Change the default admin password after first login for security

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

fastpluggy_auth_user-0.2.7.tar.gz (53.6 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

fastpluggy_auth_user-0.2.7-py3-none-any.whl (63.8 kB view details)

Uploaded Python 3

File details

Details for the file fastpluggy_auth_user-0.2.7.tar.gz.

File metadata

  • Download URL: fastpluggy_auth_user-0.2.7.tar.gz
  • Upload date:
  • Size: 53.6 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.13.13

File hashes

Hashes for fastpluggy_auth_user-0.2.7.tar.gz
Algorithm Hash digest
SHA256 f4ad31db442708f2a643434628c6880ac36b8d35fe4a3cce3e0dcfab7aef3a81
MD5 69623c1e82b487d0daa90454d54cbb5b
BLAKE2b-256 dea70840099d7320505135e0efb114126232a1390e5e3385a78fc75c6a47f191

See more details on using hashes here.

File details

Details for the file fastpluggy_auth_user-0.2.7-py3-none-any.whl.

File metadata

File hashes

Hashes for fastpluggy_auth_user-0.2.7-py3-none-any.whl
Algorithm Hash digest
SHA256 d85e1fce93beb5c32a8a7ba0c2e7b1663c1b92c9990409aac7f4fc10e1d337d2
MD5 3e57b0fbac41c0443a9a917a0076d5b2
BLAKE2b-256 9af687dcab2eb1d487e0198c0708b75c2d52ddd099046cdbf6664610ccee4386

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page