Tips/guide on creating a simple username/password auth for panel app?

Is there a simple guide for doing username/password auth?

I’m just using Bokeh’s auth module

3 Likes

I’d be happy to ship other auth components with Panel, currently we support a variety of OAuth providers but I guess one bit that is missing even from that is the ability to black/white-list specific users. With the Okta provider you can set that up on the Okta side but that doesn’t work for the GitHub, GitLab providers etc.

I’d also be happy to have an even simpler auth component that keeps a simple list of users and salted/hashed passwords.

1 Like

Knowing very little about security, how safe/unsafe would it be if I just used a

def authenticate(event):
    # "something" and "something_else" would be saved in some env file
    if username_input.value == "something" and password_input.value == "something_else": 
        return True  # trigger loading app
    else:
       return False 

username_input = pn.widgets.TextInput(placeholder="Enter username here")
password_input = pn.widgets.PasswordInput(placeholder="Enter password here")
submit_button = pn.widgets.Button(name="Submit")

auth_col = pn.Column(
    username_input,
    password_input,
    submit_button
)

submit_button.on_click(authenticate)

The reason being is that users don’t have accounts in any of the built-in ouath2 providers

How were you able to use it?

When I served with:
panel serve --enable-xsrf-cookies --auth-module=myapp/auth.py

If I go to
localhost:####/login it would work as expected, redirecting to localhost:####/myapp

However, I could bypass the login page just by directly visiting without logging in
localhost:####/myapp

How about saving the login state in the session and then just redirecting to the login page when a user tries to access a “login-protected” page?

Do you know how I can do that?

2 Likes

you might have to clear your cookies

For me it works even when I go to the app page directly (redirects to login page)

Oh maybe, but I guess it’s easily bypassable:

1 Like

@ahuang11 any suggestions to improve the login page?

Edit1: when I am using the example above (https://github.com/bokeh/bokeh/tree/branch-2.4/examples/howto/server_auth), then I created a logout button, it is always necessary to re-login to access the app. Example of the logout button is below.

code = """
window.location.href="/logout"
"""
button = pn.widgets.Button(name="Logout", button_type="success")
button.js_on_click(code=code)

I wonder how we can clear the cookies when we close the browser tab or set the timeout.

Edit2:
expires_days arguments works well to give the timeout on the cookies. 0.001 means 1 minutes. 0.04 will give around 1 hour (57 minutes).

def set_current_user(self, user):
    if user:
        self.set_cookie(
            "user", 
            tornado.escape.json_encode(user),
            expires_days=0.001
        )
    else:
        self.clear_cookie("user")

Edit3:
pn.state.cache could be used to pass the python object, for example service obj from database, to the main application.

2 Likes

We should definitely allow a configurable timeout for the cookie. Can someone file an issue?

2 Likes

Also separately could someone make a suggestions for a basic non-OAuth approach, e.g. just a way to store hashed and salted Username/Password pairs alongside the application.

4 Likes