Tips/guide on creating a simple username/password auth for panel app?

Is there a simple guide for doing username/password auth?

I’m just using Bokeh’s auth module

2 Likes

I’d be happy to ship other auth components with Panel, currently we support a variety of OAuth providers but I guess one bit that is missing even from that is the ability to black/white-list specific users. With the Okta provider you can set that up on the Okta side but that doesn’t work for the GitHub, GitLab providers etc.

I’d also be happy to have an even simpler auth component that keeps a simple list of users and salted/hashed passwords.

Knowing very little about security, how safe/unsafe would it be if I just used a

def authenticate(event):
    # "something" and "something_else" would be saved in some env file
    if username_input.value == "something" and password_input.value == "something_else": 
        return True  # trigger loading app
    else:
       return False 

username_input = pn.widgets.TextInput(placeholder="Enter username here")
password_input = pn.widgets.PasswordInput(placeholder="Enter password here")
submit_button = pn.widgets.Button(name="Submit")

auth_col = pn.Column(
    username_input,
    password_input,
    submit_button
)

submit_button.on_click(authenticate)

The reason being is that users don’t have accounts in any of the built-in ouath2 providers

How were you able to use it?

When I served with:
panel serve --enable-xsrf-cookies --auth-module=myapp/auth.py

If I go to
localhost:####/login it would work as expected, redirecting to localhost:####/myapp

However, I could bypass the login page just by directly visiting without logging in
localhost:####/myapp

How about saving the login state in the session and then just redirecting to the login page when a user tries to access a “login-protected” page?

Do you know how I can do that?

1 Like

you might have to clear your cookies

For me it works even when I go to the app page directly (redirects to login page)

Oh maybe, but I guess it’s easily bypassable: