Tips/guide on creating a simple username/password auth for panel app?

ahuang11 · July 20, 2021, 7:28pm

Is there a simple guide for doing username/password auth?

Material-Scientist · July 25, 2021, 1:16pm

I’m just using Bokeh’s auth module

philippjfr · July 26, 2021, 9:54am

I’d be happy to ship other auth components with Panel, currently we support a variety of OAuth providers but I guess one bit that is missing even from that is the ability to black/white-list specific users. With the Okta provider you can set that up on the Okta side but that doesn’t work for the GitHub, GitLab providers etc.

I’d also be happy to have an even simpler auth component that keeps a simple list of users and salted/hashed passwords.

ahuang11 · July 26, 2021, 3:56pm

Knowing very little about security, how safe/unsafe would it be if I just used a

def authenticate(event):
    # "something" and "something_else" would be saved in some env file
    if username_input.value == "something" and password_input.value == "something_else": 
        return True  # trigger loading app
    else:
       return False 

username_input = pn.widgets.TextInput(placeholder="Enter username here")
password_input = pn.widgets.PasswordInput(placeholder="Enter password here")
submit_button = pn.widgets.Button(name="Submit")

auth_col = pn.Column(
    username_input,
    password_input,
    submit_button
)

submit_button.on_click(authenticate)

The reason being is that users don’t have accounts in any of the built-in ouath2 providers

ahuang11 · July 26, 2021, 4:25pm

How were you able to use it?

When I served with:
panel serve --enable-xsrf-cookies --auth-module=myapp/auth.py

If I go to
localhost:####/login it would work as expected, redirecting to localhost:####/myapp

However, I could bypass the login page just by directly visiting without logging in
localhost:####/myapp

Stubatiger · July 27, 2021, 11:29am

How about saving the login state in the session and then just redirecting to the login page when a user tries to access a “login-protected” page?

ahuang11 · July 27, 2021, 5:43pm

Do you know how I can do that?

Material-Scientist · July 30, 2021, 10:40pm

you might have to clear your cookies

For me it works even when I go to the app page directly (redirects to login page)

ahuang11 · August 1, 2021, 1:30am

Oh maybe, but I guess it’s easily bypassable:

github.com/bokeh/bokeh

[BUG] bokeh authentication example checks only whether `user` cookie is set

opened 12:54PM - 04 Sep 20 UTC

ltalirz

type: discussion

#### ALL software version info (bokeh, python, notebook, OS, browser, any other …relevant packages) bokeh `master` branch #### Observed behavior I'm trying out the authentication features for the first time, so I looked at the corresponding [howto example](https://github.com/bokeh/bokeh/tree/main/examples) in the bokeh repository. Without a complete understanding of the inner workings, it seems to me the first thing that bokeh does is call the `get_user` function https://github.com/bokeh/bokeh/blob/b5abc5a5b32b283b3b3cdaebf430728a06d84aba/examples/howto/server_auth/auth.py#L5-L7 which checks the `user` cookie. It turns out that if that function returns anything but `None`, the `LoginHandler` is never activated (!), i.e. the user is assumed to be already logged in. I.e. setting the `user` cookie manually allows any user to circumvent the user/password check implemented here: https://github.com/bokeh/bokeh/blob/b5abc5a5b32b283b3b3cdaebf430728a06d84aba/examples/howto/server_auth/auth.py#L22-L25 Maybe this is obvious to people who are familiar with the details of the authentication workflow, but this code is likely to be copied by people who are new to this (like me), who may be surprised to find that the apps they thought are login-protected really aren't. #### Expected behavior I would expect that I cannot access the protected app without a valid user name and password. #### Complete, minimal, self-contained example code that reproduces the issue Check out the bokeh repository and do: ``` cd examples/howto/server_auth bokeh serve --enable-xsrf-cookies --auth-module=auth.py app.py ``` Open http://localhost:5006/app without logging in. Open the browser console and execute ``` document.cookie="user=test" ``` Visit http://localhost:5006/app again - you are logged in!

Arifin · September 7, 2021, 2:39am

@ahuang11 any suggestions to improve the login page?

Edit1: when I am using the example above (https://github.com/bokeh/bokeh/tree/branch-2.4/examples/howto/server_auth), then I created a logout button, it is always necessary to re-login to access the app. Example of the logout button is below.

code = """
window.location.href="/logout"
"""
button = pn.widgets.Button(name="Logout", button_type="success")
button.js_on_click(code=code)

I wonder how we can clear the cookies when we close the browser tab or set the timeout.

Edit2:
expires_days arguments works well to give the timeout on the cookies. 0.001 means 1 minutes. 0.04 will give around 1 hour (57 minutes).

def set_current_user(self, user):
    if user:
        self.set_cookie(
            "user", 
            tornado.escape.json_encode(user),
            expires_days=0.001
        )
    else:
        self.clear_cookie("user")

Edit3:
pn.state.cache could be used to pass the python object, for example service obj from database, to the main application.

philippjfr · September 7, 2021, 2:53pm

We should definitely allow a configurable timeout for the cookie. Can someone file an issue?

philippjfr · September 7, 2021, 2:54pm

Also separately could someone make a suggestions for a basic non-OAuth approach, e.g. just a way to store hashed and salted Username/Password pairs alongside the application.

orangeSi · November 18, 2022, 6:54am

Simple login/password auth example without oauth · Issue #2575 · holoviz/panel · GitHub had the same question as this post. Before really resolve it，I use this enter simple password when login(like the way in jupyter notebook) · Issue #4113 · holoviz/panel · GitHub as the temporary resolution.