Handling session and authentication

[kamilc]

Hey all,

This project looks super dope! I know it's still early days and that auth-related components are on their way, but just to understand the architecture a bit more - how would one go about creating one herself/himself? Also, how do we handle user sessions?

Thanks!

[FHU-yezi]

Maybe we need some ways to access Cookie, LocalStorge etc, and we can use JWT or something else.

[picklelo]

Check out the Twitter example we show how you can create your own auth logic.

I'm working on a blog post for the architecture - but in summary we have a NextJS frontend and a Python backend where all the client state is held and where the state update logic is done. A FastAPI websocket sends events to the backend to process, and state updates to the frontend to render on the UI.

[cahaj]

So, I was experimenting with an auth0 authentication system and trying to implement it in my Pynecone project and came across some things I didn't understand.

First things first, I made a really simple Flask application to demonstrate what I want to achieve.

from flask import Flask, redirect, session, request

DOMAIN = 'AUTH0_DOMAIN'
ID = 'CLIENT_ID'

app = Flask('')
app.secret_key = 'RANDOM 32 HEX SECRET'


@app.route('/')
def home():
    return session.get('token', "Not logged in")

@app.route('/login')
def login():
    return redirect(f"https://{DOMAIN}/authorize?response_type=code&client_id={ID}&redirect_uri=http://127.0.0.1:3000/callback")

@app.route('/callback')
def callback():
    token = request.args.get('code')
    session['token'] = token
    return redirect("/")

@app.route('/logout')
def logout():
    del session['token']
    return redirect(f"https://{DOMAIN}/v2/logout?client_id={ID}&redirectTo=http://127.0.0.1:3000/")

def run():
    app.run(host='0.0.0.0',port=3000)

if __name__ == '__main__':
    run()

The things I'm struggling to recreate in Pynecone are alternative for Flask's session and returning a page redirect.

I don't understand how to temporarily store the user's token for the duration of the login session in Pynecone, am I somehow supposed to do this through the State? If I am, how am I able to call the State to build a simple if statement returning the main page when the token is found and the login page when not?

About my second problem, whenever I try to return a pc.redirect() in a API route, I get Error: Invariant: attempted to hard navigate to the same URL /login http://127.0.0.1:3000/login.

Im really in love with the project, just can't find much answers to my questions by myself as it is still really new, so sorry if it's something really simple that I'm missing!

Thanks!

[steamraven]

I would really like to see some authentication and authorization features as first level features. These features are needed in any app that goes beyond a toy or demo. And it is very hard to get this right, as the Twitter Example shows. It has some serious problems and shows how easy it is to miss things.

It would be nice to have a way annotate state events (including the implicit set_* events) with the authorization level.

Authentication may be able to be handled with middleware

I really think having these features would go a long way to making this project seem complete