Proper way of implementing (reusing) the user and session_auth app in a FastAPI project?

[heliumbrain]

Hi there!

First of all I just need to say, GREAT job with this project. I love how well thought out it is and the documentation is on point.

I'm quite new to both FastAPI and Piccolo, so please bear with me in my adventure of incompetence :)

I'm currently setting up a FastAPI project that will act as the backend API for a web-app that lives completely separate. I've read up a bit on the User implementation in Piccolo and the session_auth app in piccolo-api. So far I've managed to create a endpoint that allows end-users to register for a new account:

BaseUserPydantic = create_pydantic_model(table=BaseUser, model_name="BaseUserPydantic")


@app.post("/auth/register")
async def create_user(user: BaseUserPydantic):
    try:
        user = BaseUser(**user.__dict__)
        await user.save().run()
    except Exception:
        return Response(status_code=500)

This works, but I'm sure it can be improved... Now, where I feel a bit lost is how to "hook in" the session-auth and making it work together.

1. Should I stick to inhereting from the apps (session_auth and user) and just MixIn whatever changes I need to suit my app? Or would I be better of making my own user and auth app (reusing some of the code from the pre-build ones)

I have a lot of tiny questions, but mainly I just need some guidance in getting my auth-flow to work. I've tried digging through the fastapi-admin repo to see how it was solved there, but I'm afraid I can't really grasp it. Appologize for the vauge questions. I wish I knew enough to pinpoint my questions better :)

Appreciate any help, and please let me know if you need me to expand on some parts of my setup.

[dantownsend]

Thanks for the kind words.

With the session auth, Piccolo API has a function called session_login, which returns a Starlette HTTPEndpoint.

As FastAPI is built on top of Starlette, you can just mount this login endpoint within your FastAPI app like this:

app = FastAPI()

app.mount(
    path="/login/",
    app=session_login(
        auth_table=BaseUser,  # Or some subclass of BaseUser
        session_table=SessionsBase,   # Or some subclass of BaseUser
        redirect_to='/',
    ),
)

For your use case, it sounds like you want to create a session for the user straight after they create an account. You could do something like this:

@app.post("/auth/register")
async def create_user(user: BaseUserPydantic):
    try:
        user = BaseUser(**user.__dict__)
        await user.save().run()

        session = await SessionsBase.create_session(user_id=user.id)

        response = Response(status_code=200)

        response.set_cookie(
            key='id',
            value=session.token,
            httponly=True,
            secure=True, # if in production, otherwise False
            samesite="lax",
        )
        return response

    except Exception:
        return Response(status_code=500)

You then wrap any endpoints you want to protect using the SessionAuthMiddleware.

In terms of adding new columns to BaseUser, you can inherit from it and add more columns to it. Or create a separate table called something like Profile, with a foreign key to BaseUser.

Does that help?

[heliumbrain]

Thanks! I think create_session and set_cookie is exactly what I need. I'll give it a shot and let you know

[heliumbrain]

It seems to work, yay! I kept my register endpoint as is and moved it in to a login endpoint (with a custom Pydantic class for SwaggerUI docs purposes):

@app.post("/auth/login")
async def login_user(user: UserLoginPydantic):
    user: int = await BaseUser.login(username=user.username, password=user.password)

    session = await SessionsBase.create_session(user_id=user)

    response = Response(status_code=200)

    response.set_cookie(
        key="id",
        value=session.token,
        httponly=True,
        secure=True,  # if in production, otherwise False
        samesite="lax",
    )
    return response

It's not pretty (yet) but it works. The token is created properly and it's passed as a Cookie in my browser when trying it from the frontend.

Regarding extension of the BaseUser. I created a separate class Profile like so:

class Profile(BaseUser, tablename="piccolo_user"):
    country = Varchar(length=60, null=True)

Can I somehow tell the migrations app that - "Hey, there's actually someone else using that table as well!"? When I auto-migrated it added all the columns. Not a big deal since it's really easy to tweak before pushing the migration. Just want to know if I'm missing something.

I'll carry on my implementation as "vanilla" FastAPI as possible, and hopefully it can be a nice base for #67

Thanks for the help