app.auth.auth_controller module

class app.auth.auth_controller.AuthController(*, enabled: bool, member_repo: MemberRepository, project_repo: ProjectRepository, participation_repo: ProjectParticipationRepository, system_scopes: SystemScopes)[source]

Bases: object

Enforces authentication and authorization on controllers using flask-session.

This class provides decorators to:

  • Log in members via login_member().

  • Log out members via logout_member().

  • Enforce authentication on controllers via requires_login() and populate the current_member global proxy.

  • Enforce authorization checks on controllers via requires_permission. This also enforces authentication by using :func`requires_login`, making current_member also available.

Parameters:

  • enabled (bool) – Flag to enable or disable access control enforcement.

  • member_repo (app.repositories.member_repository.MemberRepository) – Repository interface to retrieve member data.

  • project_repo (app.repositories.project_repository.ProjectRepository) – Repository interface to retrieve member data.

  • participation_repo (app.auth.scopes.system_scopes.SystemScopes) – Repository interface to retrieve member data.

  • system_scopes – Class with system scopes.

login_member(fn)[source]

This is meant to act as the controller to start member sessions. Should be used to decorate functions that authenticate a member and return it to start the session, an optional URL for a redirect value can also be returned. It’s not a controller decorator, it is the controller, the functions should simply provide the member model.

Example:

@app.route("/login")
@login_member
def login():
    return Member(), None # return the authenticated member and doesn't redirect

@app.route("/oauth-callback")
@login_member
def oauth_callback():
    return Member(), "https://frontend.com/dashboard" # redirects to frontend with params ?login=success&username=member_username
Parameters:

fn (function) – Function that authenticates a user and returns its model.

logout_member(fn)[source]

Decorate controllers meant to end a user session. Example:

@app.route("/login")
@access_controller.logout_member
def logout():
    return {"message": "Logged out successfully!"}
Parameters:

fn (function) – Decorated controller.

requires_login(fn)[source]

Decorate controllers that require a logged-in user. This decorator enables current_member global to be accessed in controllers.

Example:

from app.access import current_member

@bp.route("/members/<username>", methods=["PUT"])
@requires_login
def update_member(username):
    if current_member.username == username:
        pass
Parameters:

fn (function) – Decorated controller.

requires_permission(**scoped_permissions)[source]

Decorator to enforce scoped permission checks on route handlers.

Example:

@bp.route("/projects/<name>", methods=["PUT"])
@requires_permission(general="project:update", project="edit")
def update_project(name):
    pass

Each keyword argument represents a scope, and its value is the required permission for that scope. If any one scope grants the required permission, access is allowed.

Parameters:

scoped_permissions (dict[str, str]) – Mapping of scope names to required permission strings.

Raises:

  • ValueError – If an undefined scope is passed.

  • ValueError – If and undefined permission is passed for the corresponding scope.