Django authentication backends and views for Vector-generated apps

Navigation

Verified details

These details have been verified by PyPI
Maintainers
Avatar for rhys-vector from gravatar.com rhys-vector

Unverified details

These details have not been verified by PyPI
Meta
Report project as malware

Project description

govector-auth

Django authentication backends and views for Vector-generated apps. Handles JWT verification from Vector's auth proxy, session cookie management, and dev-mode auto-authentication.

Install

pip install govector-auth

Setup

Authentication Backends

Add to your Django settings:

REST_FRAMEWORK = {
    "DEFAULT_AUTHENTICATION_CLASSES": [
        "govector_auth.JWTCookieAuthentication",
        "govector_auth.DevAutoAuthentication",
    ],
}
  • JWTCookieAuthentication reads JWT from HttpOnly cookies with CSRF enforcement
  • DevAutoAuthentication provides a fallback dev user when auth is not configured (when VECTOR_AUTH_PROXY_URL is not set)

URL Configuration

Add the auth views to your urls.py:

from govector_auth import AuthTokenView, TokenRefreshView, CurrentUserView, LogoutView

urlpatterns = [
    path("api/accounts/auth/token", AuthTokenView.as_view()),
    path("api/accounts/auth/refresh", TokenRefreshView.as_view()),
    path("api/accounts/me/", CurrentUserView.as_view()),
    path("api/accounts/logout/", LogoutView.as_view()),
]

Middleware (CHIPS / Partitioned cookies)

Vector apps run inside a 3p iframe on govector.ai. Chrome (especially incognito) drops 3p cookies unless they carry the Partitioned (CHIPS) attribute. The auth views in this package already stamp Partitioned on the auth cookies they set/delete, but Django's CsrfViewMiddleware sets csrftoken independently — so add PartitionedCsrfCookieMiddleware to wrap it:

MIDDLEWARE = [
    # ...
    # Must come BEFORE CsrfViewMiddleware. process_response runs bottom-up,
    # so being above it in the list means this runs AFTER it on the response
    # side and can stamp the csrftoken cookie it just set.
    "govector_auth.PartitionedCsrfCookieMiddleware",
    "django.middleware.csrf.CsrfViewMiddleware",
    # ...
]

Required Settings

# Cookie names
ACCESS_TOKEN_COOKIE = "access_token"
REFRESH_TOKEN_COOKIE = "refresh_token"

# Cookie config
ACCESS_TOKEN_COOKIE_MAX_AGE = 60 * 5  # 5 minutes
ACCESS_TOKEN_COOKIE_HTTPONLY = True
ACCESS_TOKEN_COOKIE_SECURE = True  # False for local dev
ACCESS_TOKEN_COOKIE_SAMESITE = "Lax"
ACCESS_TOKEN_COOKIE_PATH = "/"

REFRESH_TOKEN_COOKIE_MAX_AGE = 60 * 60 * 24 * 7  # 7 days
REFRESH_TOKEN_COOKIE_HTTPONLY = True
REFRESH_TOKEN_COOKIE_SECURE = True  # False for local dev
REFRESH_TOKEN_COOKIE_SAMESITE = "Lax"
REFRESH_TOKEN_COOKIE_PATH = "/"

Required Environment Variables

VECTOR_AUTH_PROXY_URL=https://auth.govector.ai  # Vector's hosted auth proxy
DEV_USER_EMAIL=dev@localhost                     # Fallback email when auth is disabled

User Model

Your User model should include these fields for full compatibility:

class User(AbstractBaseUser):
    email = models.EmailField(unique=True)
    first_name = models.CharField(max_length=150, blank=True)
    last_name = models.CharField(max_length=150, blank=True)
    picture = models.URLField(max_length=500, blank=True, default="")
    vector_uga_user_id = models.CharField(max_length=255, blank=True, default="")
    is_active = models.BooleanField(default=True)

    @property
    def full_name(self) -> str:
        return f"{self.first_name} {self.last_name}".strip() or self.email

Auth Flow

  1. Frontend POSTs JWT from auth proxy to AuthTokenView
  2. View fetches RS256 public key from VECTOR_AUTH_PROXY_URL/.well-known/jwks.json
  3. Verifies JWT signature, extracts user claims
  4. Creates or updates local User record
  5. Issues SimpleJWT access + refresh tokens as HttpOnly cookies
  6. Subsequent requests authenticated via JWTCookieAuthentication
  7. TokenRefreshView rotates tokens when access token expires

API

JWTCookieAuthentication

DRF authentication backend. Reads JWT from the ACCESS_TOKEN_COOKIE cookie, falls back to Authorization header. Enforces CSRF on unsafe methods when using cookies.

DevAutoAuthentication

DRF authentication backend. When VECTOR_AUTH_PROXY_URL is not set, auto-authenticates with a shared dev user. When auth is enabled, returns None (passes through to 401).

Views

View Method Path Description
AuthTokenView POST /api/accounts/auth/token Exchange auth proxy JWT for session
TokenRefreshView POST /api/accounts/auth/refresh Rotate refresh token
CurrentUserView GET /api/accounts/me/ Get current user
LogoutView POST /api/accounts/logout/ Clear auth cookies

Middleware

Middleware Description
PartitionedCsrfCookieMiddleware Stamps Partitioned (CHIPS) on Django's csrftoken cookie so Chrome accepts it in 3p iframe context.

Project details

Verified details

These details have been verified by PyPI
Maintainers
Avatar for rhys-vector from gravatar.com rhys-vector

Unverified details

These details have not been verified by PyPI
Meta

Release history Release notifications | RSS feed

This version

0.1.7

0.1.6

0.1.5

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

govector_auth-0.1.7.tar.gz (50.8 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

govector_auth-0.1.7-py3-none-any.whl (10.2 kB view details)

Uploaded Python 3

File details

Details for the file govector_auth-0.1.7.tar.gz.

File metadata

  • Download URL: govector_auth-0.1.7.tar.gz
  • Upload date:
  • Size: 50.8 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: uv/0.11.7 {"installer":{"name":"uv","version":"0.11.7","subcommand":["publish"]},"python":null,"implementation":{"name":null,"version":null},"distro":{"name":"Ubuntu","version":"24.04","id":"noble","libc":null},"system":{"name":null,"release":null},"cpu":null,"openssl_version":null,"setuptools_version":null,"rustc_version":null,"ci":true}

File hashes

Hashes for govector_auth-0.1.7.tar.gz
Algorithm Hash digest
SHA256 740556b41c9a8334de58971630bd90971586e0e78d126b6305ddc4874bc95ef2
MD5 ca0d87e4aa694c01219ea5fe07244bfe
BLAKE2b-256 7d512cacd29a58880ffbe96159daa593c952e970048fb523bae4b8114d8faece

See more details on using hashes here.

File details

Details for the file govector_auth-0.1.7-py3-none-any.whl.

File metadata

  • Download URL: govector_auth-0.1.7-py3-none-any.whl
  • Upload date:
  • Size: 10.2 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: uv/0.11.7 {"installer":{"name":"uv","version":"0.11.7","subcommand":["publish"]},"python":null,"implementation":{"name":null,"version":null},"distro":{"name":"Ubuntu","version":"24.04","id":"noble","libc":null},"system":{"name":null,"release":null},"cpu":null,"openssl_version":null,"setuptools_version":null,"rustc_version":null,"ci":true}

File hashes

Hashes for govector_auth-0.1.7-py3-none-any.whl
Algorithm Hash digest
SHA256 31407db7266d54ac27be3a23bd1cca2aac19e4cd7a58936bb447f13d7fecda43
MD5 fcc0c60131577815a588b9acbce250f2
BLAKE2b-256 c327d2049d35dcc9a52b6990e730942d2e0e0457c228926c8558b1b23837f4ed

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page