Skip to content

[FastAPI] User authentication and user-based routes

Kevin Morris requested to merge kevr/aurweb:pu_fastapi_auth into pu

Dependency Additions

  • python-bcrypt
    • Required for password hashing compatible with aurweb
  • python-email-validator
    • Required for email validation from form input
  • python-lxml
    • Used for some testing of HTML content
  • python-pytz
    • Used for timezone management

Test-only Dependencies

  • openssh
    • We use executables in here for key generation during SSHPubKey tests


  • Added aurweb.db.query
    • An ORM helper function which performs a query and returns the result
  • Added aurweb.db.create
    • An ORM helper function which creates a record and returns the row
  • Added aurweb.db.delete
    • An ORM helper function which deletes a record
  • Added aurweb.auth.AnonymousUser
    • request.user's class when the request is not authenticated
  • Added aurweb.auth.BasicAuthBackend
    • A starlette Authentication middleware backend for aurweb
  • Added aurweb.auth.auth_required(is_required = True, redirect = "/", template = None)
    • A route decorator: @auth_required(redirect="/blah", template="blah.html")
  • Added aurweb.auth.user_developer_or_trusted_user(user)
  • Added aurweb.auth.trusted_user(user)
  • Added aurweb.auth.developer(user)
  • Added aurweb.auth.trusted_user_or_dev(user)
  • Added credential constants prefixed with CRED_ in aurweb.auth.
  • Added aurweb.auth.has_credential(user, credential, approved_users = tuple())
    • Check to see if user has credential, who are automatically approved if they exist in approved_users.
  • Added aurweb.templates.is_list
    • A new filter automatically passed to the Jinja environment
  • Added aurweb.templates.is_str
    • A new filter automatically passed to the Jinja environment
  • Added Ban SQLAlchemy ORM model
  • Added Session SQLAlchemy ORM model
  • Added SSHPubKey SQLAlchemy ORM model
  • Added User.authenticate
  • Added User.is_authenticated
  • Added User.login
  • Added User.logout
  • Added User credentials, cloning the PHP implementation's method
    • Supports Users, Trusted Users, Developers, Trusted Users & Developers
  • Added aurweb.captcha, a module containing captcha utilities
  • Added aurweb.time, a module with time-wise helper functions
  • Added /passreset get and post routes
  • Added /register get and post routes
  • Added /login get and post routes
  • Added /logout get and post routes
  • Added /account/<username> get route
  • Added /account/<username>/edit get and post route


  • Take request.user.LangPreference into account when authenticated
  • We now use the request.user's timezone when authenticated
  • User now has an internal session relationship

NOTE: This list will be updated as the branch is prepared for review, it is still a work in progress.

Edited by Kevin Morris

Merge request reports