How to get login information in panel app?

nritsche · July 30, 2020, 9:24pm

I added user authentication by passing an “auth_module” to the bokeh server. I also need the user name within my panel app, so I used

pn.state.cache["username"] = username

and then

pn.state.cache.get("username", "-")

But now users found that this sometimes results in other user names that are logged in. Is there a proper way to access that value, maybe through the tornado request handler?

If I could get tornado.web.RequestHandler somehow from within my panel app, I could access the cookie that keeps the user name.

_jm · July 31, 2020, 1:47am

@nritsche

Disclaimer: I do not personally use bokeh’s authentication module, b/c I typically embed it in a Flask app and use its login/authentication extensions.

With that caveat, a quick inspection/experimentation of the bokeh server authentication example here: server_auth shows that the cookies for the user are available via

curdoc().session_context.request.cookies

My initial recommendation would be to access these in panel for the current session associated with that document via

pn.state.curdoc

There is also another recent Panel Discourse post that discusses a slightly different way to access via the panel state, but that’s not as clear to me how the data for different sessions are being managed. See https://discourse.holoviz.org/t/possible-to-do-personalized-analytics/1025/4.

I know that in bokeh documents are by definition associated with sessions, which led to the first recommendation.

Good luck.

Marc · July 31, 2020, 2:56am

Hi @nritsche

Panel 0.10 which is expected to ship within the next month contains oauth integration and I believe easy to use integrations with cloud providers, github, social etc. You will be able to find information on Github in a PR.

Maybe that could be useful for you?

nritsche · July 31, 2020, 7:51pm

Thanks, but it won’t help me, since I implemented my own authentication. I don’t want to use oauth.

nritsche · July 31, 2020, 7:53pm

Thanks, this helped!
I managed to get the user via

from tornado.web import decode_signed_value
secure_cookie = pn.state.curdoc.session_context.request.cookies["user"]
user = decode_signed_value(cookie_secret, "user", secure_cookie).decode("utf-8")

I had to manually pass in the cookie secret though from when I create the server. Any ideas how I could directly access that in the bokeh server settings?

_jm · July 31, 2020, 8:20pm

@nritsche

In the bokeh server simple auth example on Github https://github.com/bokeh/bokeh/tree/master/examples/howto/server_auth, the request cookies dictionary looks like the following given their implementation of the authentication module.

{'_xsrf': '2|72d4710d|dfba623db795cea77ce50adce6dda0e1|1596226420', 'user': '"bokeh"'}

So the user entry is decoded as plain text at that level. If this is not the case when wrapped in panel, my initial thought would be to pull it out in bokeh and add it as a property of the document for the user’s session.

If you have an app_hooks.py function as part of your bokeh server implementation, you could add it as part of the on_session_created() method. See the Lifecycle Hooks section of the bokeh server documentation here https://docs.bokeh.org/en/latest/docs/user_guide/server.html.

nritsche · September 18, 2020, 10:43pm

Thanks @_jm!

I thought I should be able to just read that cookie, and using the master branch of panel it works with:

pn.state.curdoc.session_context.request.cookies["user"]

But on the production installation using panel 0.9.7, I get

'NoneType' object has no attribute 'session_context'

and similar if I try to get

pn.state.cookies["user"]

Do you know if this is going to work with the next panel release?

philippjfr · September 21, 2020, 9:59am

@nritsche I’ll try to get the 0.10.0 release out asap but it might still take until next week.