Initial commit of local_auth example (#143)

local_auth/.gitignore

@@ -0,0 +1,4 @@
+*.db
+*.py[cod]
+.web
+__pycache__/

local_auth/README.md

@@ -0,0 +1,91 @@
+# Local Authentication Example
+
+See example app code: [`local_auth.py`](./local_auth/local_auth.py)
+
+## Models
+
+This example makes use of two models, [`User`](./local_auth/user.py) and
+[`AuthSession`](./local_auth/auth_session.py), which store user login
+information and authenticated user sessions respectively.
+
+User passwords are hashed in the database with
+[`passlib`](https://pypi.org/project/passlib/) using
+[`bcrypt`](https://pypi.org/project/bcrypt/) algorithm. However, during
+registration and login, the unhashed password is sent over the websocket, so
+**it is critical to use TLS to protect the websocket connection**.
+
+## States
+
+The base [`State`](./local_auth/base_state.py) class stores the `auth_token` as
+a `LocalStorage` var, allowing logins to persist across browser tabs and
+sessions.
+
+It also exposes `authenticated_user` as a cached computed var, which
+looks up the `auth_token` in the `AuthSession` table and returns a matching
+`User` if any exists. The `is_authenticated` cached var is a convenience for
+determining whether the `auth_token` is associated with a valid user.
+
+The public event handler, `do_logout`, may be called from the frontend and will
+destroy the `AuthSession` associated with the current `auth_token`.
+
+The private event handler, `_login` is only callable from the backend, and
+establishes an `AuthSession` for the given `user_id`. It assumes that the
+validity of the user credential has already been established, which is why it is
+a private handler.
+
+### Registration
+
+The [`RegistrationState`](./local_auth/registration.py) class handles the
+submission of the register form, checking for input validity and ultimately
+creating a new user in the database.
+
+After successful registration, the event handler redirects back to the login
+page after a brief delay.
+
+### Login
+
+The [`LoginState`](./local_auth/login.py) class handles the submission of the
+login form, checking the user password, and ultimately redirecting back to the
+last page that requested login (or the index page).
+
+The `LoginState.redir` event handler is a bit special because it behaves
+differently depending on the page it is called from.
+
+  * If `redir` is called from any page except `/login` and there is no
+    authenticated user, it saves the current page route as `redirect_to` and
+    forces a redirect to `/login`.
+  * If `redir` is called from `/login` and the there is an authenticated
+    user, it will redirect to the route saved as `redirect_to` (or `/`)
+
+## Forms and Flow
+
+### `@require_login`
+
+The `login.require_login` decorator is intended to be used on pages that require
+authentication to be viewed. It uses `rx.cond` to conditionally render either
+the wrapped page, or some loading spinners as placeholders. Because one of the
+spinners specifies `LoginState.redir` as the event handler for its `on_mount`
+trigger, it will handle redirection to the login page if needed.
+
+### Login Form
+
+The login form triggers `LoginState.on_submit` when submitted, and this function
+is responsible for looking up the user and validating the password against the
+database. Once the user is authenticated, `State._login` is called to create the
+`AuthSession` associating the `user_id` with the `auth_token` stored in the
+browser's `LocalStorage` area.
+
+Finally `on_submit` chains back into `LoginState.redir` to handle redirection
+back to the page that requested the login (stored as `LoginState.redirect_to`).
+
+### Protect the State
+
+Keep in mind that **all pages in a reflex app are publicly accessible**! The
+`redir` mechanism is designed to get users to and from the login page, it is NOT
+designed to protect private data.
+
+All private data needs to originate from computed vars or event handlers setting
+vars after explicitly checking `State.authenticated_user` on the backend.
+Static data passed to components, even on protected pages, can be retrieved
+without logging in. It cannot be stressed enough that **private data MUST come
+from the state**.

local_auth/alembic.ini

@@ -0,0 +1,110 @@
+# A generic, single database configuration.
+
+[alembic]
+# path to migration scripts
+script_location = alembic
+
+# template used to generate migration file names; The default value is %%(rev)s_%%(slug)s
+# Uncomment the line below if you want the files to be prepended with date and time
+# see https://alembic.sqlalchemy.org/en/latest/tutorial.html#editing-the-ini-file
+# for all available tokens
+# file_template = %%(year)d_%%(month).2d_%%(day).2d_%%(hour).2d%%(minute).2d-%%(rev)s_%%(slug)s
+
+# sys.path path, will be prepended to sys.path if present.
+# defaults to the current working directory.
+prepend_sys_path = .
+
+# timezone to use when rendering the date within the migration file
+# as well as the filename.
+# If specified, requires the python-dateutil library that can be
+# installed by adding `alembic[tz]` to the pip requirements
+# string value is passed to dateutil.tz.gettz()
+# leave blank for localtime
+# timezone =
+
+# max length of characters to apply to the
+# "slug" field
+# truncate_slug_length = 40
+
+# set to 'true' to run the environment during
+# the 'revision' command, regardless of autogenerate
+# revision_environment = false
+
+# set to 'true' to allow .pyc and .pyo files without
+# a source .py file to be detected as revisions in the
+# versions/ directory
+# sourceless = false
+
+# version location specification; This defaults
+# to alembic/versions.  When using multiple version
+# directories, initial revisions must be specified with --version-path.
+# The path separator used here should be the separator specified by "version_path_separator" below.
+# version_locations = %(here)s/bar:%(here)s/bat:alembic/versions
+
+# version path separator; As mentioned above, this is the character used to split
+# version_locations. The default within new alembic.ini files is "os", which uses os.pathsep.
+# If this key is omitted entirely, it falls back to the legacy behavior of splitting on spaces and/or commas.
+# Valid values for version_path_separator are:
+#
+# version_path_separator = :
+# version_path_separator = ;
+# version_path_separator = space
+version_path_separator = os  # Use os.pathsep. Default configuration used for new projects.
+
+# set to 'true' to search source files recursively
+# in each "version_locations" directory
+# new in Alembic version 1.10
+# recursive_version_locations = false
+
+# the output encoding used when revision files
+# are written from script.py.mako
+# output_encoding = utf-8
+
+sqlalchemy.url = driver://user:pass@localhost/dbname
+
+
+[post_write_hooks]
+# post_write_hooks defines scripts or Python functions that are run
+# on newly generated revision scripts.  See the documentation for further
+# detail and examples
+
+# format using "black" - use the console_scripts runner, against the "black" entrypoint
+# hooks = black
+# black.type = console_scripts
+# black.entrypoint = black
+# black.options = -l 79 REVISION_SCRIPT_FILENAME
+
+# Logging configuration
+[loggers]
+keys = root,sqlalchemy,alembic
+
+[handlers]
+keys = console
+
+[formatters]
+keys = generic
+
+[logger_root]
+level = WARN
+handlers = console
+qualname =
+
+[logger_sqlalchemy]
+level = WARN
+handlers =
+qualname = sqlalchemy.engine
+
+[logger_alembic]
+level = INFO
+handlers =
+qualname = alembic
+
+[handler_console]
+class = StreamHandler
+args = (sys.stderr,)
+level = NOTSET
+formatter = generic
+
+[formatter_generic]
+format = %(levelname)-5.5s [%(name)s] %(message)s
+datefmt = %H:%M:%S

local_auth/alembic/README

@@ -0,0 +1 @@
+Generic single-database configuration.

local_auth/alembic/env.py

@@ -0,0 +1,78 @@
+from logging.config import fileConfig
+
+from sqlalchemy import engine_from_config
+from sqlalchemy import pool
+
+from alembic import context
+
+# this is the Alembic Config object, which provides
+# access to the values within the .ini file in use.
+config = context.config
+
+# Interpret the config file for Python logging.
+# This line sets up loggers basically.
+if config.config_file_name is not None:
+    fileConfig(config.config_file_name)
+
+# add your model's MetaData object here
+# for 'autogenerate' support
+# from myapp import mymodel
+# target_metadata = mymodel.Base.metadata
+target_metadata = None
+
+# other values from the config, defined by the needs of env.py,
+# can be acquired:
+# my_important_option = config.get_main_option("my_important_option")
+# ... etc.
+
+
+def run_migrations_offline() -> None:
+    """Run migrations in 'offline' mode.
+
+    This configures the context with just a URL
+    and not an Engine, though an Engine is acceptable
+    here as well.  By skipping the Engine creation
+    we don't even need a DBAPI to be available.
+
+    Calls to context.execute() here emit the given string to the
+    script output.
+
+    """
+    url = config.get_main_option("sqlalchemy.url")
+    context.configure(
+        url=url,
+        target_metadata=target_metadata,
+        literal_binds=True,
+        dialect_opts={"paramstyle": "named"},
+    )
+
+    with context.begin_transaction():
+        context.run_migrations()
+
+
+def run_migrations_online() -> None:
+    """Run migrations in 'online' mode.
+
+    In this scenario we need to create an Engine
+    and associate a connection with the context.
+
+    """
+    connectable = engine_from_config(
+        config.get_section(config.config_ini_section, {}),
+        prefix="sqlalchemy.",
+        poolclass=pool.NullPool,
+    )
+
+    with connectable.connect() as connection:
+        context.configure(
+            connection=connection, target_metadata=target_metadata
+        )
+
+        with context.begin_transaction():
+            context.run_migrations()
+
+
+if context.is_offline_mode():
+    run_migrations_offline()
+else:
+    run_migrations_online()

local_auth/alembic/script.py.mako

@@ -0,0 +1,26 @@
+"""${message}
+
+Revision ID: ${up_revision}
+Revises: ${down_revision | comma,n}
+Create Date: ${create_date}
+
+"""
+from typing import Sequence, Union
+
+from alembic import op
+import sqlalchemy as sa
+${imports if imports else ""}
+
+# revision identifiers, used by Alembic.
+revision: str = ${repr(up_revision)}
+down_revision: Union[str, None] = ${repr(down_revision)}
+branch_labels: Union[str, Sequence[str], None] = ${repr(branch_labels)}
+depends_on: Union[str, Sequence[str], None] = ${repr(depends_on)}
+
+
+def upgrade() -> None:
+    ${upgrades if upgrades else "pass"}
+
+
+def downgrade() -> None:
+    ${downgrades if downgrades else "pass"}

local_auth/alembic/versions/e7f2b1379e19_.py

@@ -0,0 +1,50 @@
+"""empty message
+
+Revision ID: e7f2b1379e19
+Revises: 
+Create Date: 2023-09-06 23:26:13.577395
+
+"""
+from typing import Sequence, Union
+
+from alembic import op
+import sqlalchemy as sa
+import sqlmodel
+
+# revision identifiers, used by Alembic.
+revision: str = 'e7f2b1379e19'
+down_revision: Union[str, None] = None
+branch_labels: Union[str, Sequence[str], None] = None
+depends_on: Union[str, Sequence[str], None] = None
+
+
+def upgrade() -> None:
+    # ### commands auto generated by Alembic - please adjust! ###
+    op.create_table('authsession',
+    sa.Column('expiration', sa.DateTime(timezone=True), server_default=sa.text('(CURRENT_TIMESTAMP)'), nullable=True),
+    sa.Column('id', sa.Integer(), nullable=False),
+    sa.Column('user_id', sa.Integer(), nullable=False),
+    sa.Column('session_id', sqlmodel.sql.sqltypes.AutoString(), nullable=False),
+    sa.PrimaryKeyConstraint('id')
+    )
+    op.create_index(op.f('ix_authsession_session_id'), 'authsession', ['session_id'], unique=True)
+    op.create_index(op.f('ix_authsession_user_id'), 'authsession', ['user_id'], unique=False)
+    op.create_table('user',
+    sa.Column('id', sa.Integer(), nullable=False),
+    sa.Column('username', sqlmodel.sql.sqltypes.AutoString(), nullable=False),
+    sa.Column('password_hash', sqlmodel.sql.sqltypes.AutoString(), nullable=False),
+    sa.Column('enabled', sa.Boolean(), nullable=False),
+    sa.PrimaryKeyConstraint('id')
+    )
+    op.create_index(op.f('ix_user_username'), 'user', ['username'], unique=True)
+    # ### end Alembic commands ###
+
+
+def downgrade() -> None:
+    # ### commands auto generated by Alembic - please adjust! ###
+    op.drop_index(op.f('ix_user_username'), table_name='user')
+    op.drop_table('user')
+    op.drop_index(op.f('ix_authsession_user_id'), table_name='authsession')
+    op.drop_index(op.f('ix_authsession_session_id'), table_name='authsession')
+    op.drop_table('authsession')
+    # ### end Alembic commands ###

local_auth/local_auth/auth_session.py

@@ -0,0 +1,19 @@
+import datetime
+
+from sqlmodel import Column, DateTime, Field, func
+
+import reflex as rx
+
+
+class AuthSession(
+    rx.Model,
+    table=True,  # type: ignore
+):
+    """Correlate a session_id with an arbitrary user_id."""
+
+    user_id: int = Field(index=True, nullable=False)
+    session_id: str = Field(unique=True, index=True, nullable=False)
+    expiration: datetime.datetime = Field(
+        sa_column=Column(DateTime(timezone=True), server_default=func.now()),
+        nullable=False,
+    )