Add SQL authenticator #508
Conversation
|
Hey, wow, that's cool! How do you feel about using |
|
Would it make sense to also add a password salt for extra security? |
|
yeah I was hoping that |
Glad you like it. 🙂 Thanks for pointing me to |
Yes, I think so too: https://passlib.readthedocs.io/en/stable/#welcome |
|
@wolfv, I've added do you have a preferred way of testing this? the way I see it is that we'd need a SQL server running in a separate container. alternatively, we could test with |
|
Hey, I didn't check deeply before, but I am just wondering now if you want to use a different database on purpose? Because you can also create a new table for your plugin and use that table as part of the Quetz SQL database for the storage of the authentication information. E.g. here is another plugin creating a table: https://github.com/mamba-org/quetz/blob/main/plugins/quetz_conda_suggest/quetz_conda_suggest/db_models.py |
|
You would also have to define a migration but that can be auto-generated: https://github.com/mamba-org/quetz/tree/main/plugins/quetz_conda_suggest/quetz_conda_suggest/migrations/versions |
That's a good question. I was also thinking about using the Quetz database instead but then thought it might be useful to have this decoupled, as you might have central user management that you want to reuse here. However, I don't have a strong opinion on this (in our use case we could easily use the same DB) and hence wouldn't oppose changing this.
Nice, thanks. I'll check this out later. |
plugins/quetz_sql_authenticator/quetz_sql_authenticator/__init__.py
Outdated
Show resolved
Hide resolved
| credentials = list(session.exec(statement)) | ||
| click.echo(f"WARNING: Resetting the table will delete {len(credentials)} users.") | ||
| while ( | ||
| reset_database := input("Are you sure you want to reset the table? [Y/n]") |
There was a problem hiding this comment.
nice, thanks for the pointer.
|
Sorry, this PR has gotten a bit stale. I will try to get back to it the week after next week. |
hi @wolfv! the credentials table for the SQL authenticator is now part of the quetz database and written in Could you provide me with some more instructions on how to make the migration work, please? Once I have that part working, I'd start building some basic tests. |
|
Sorry for ignoring the questions regarding the database migrations. I believe the quetz command line utility has some helper functions to generate initial migrations from the sqlalchemy schema (even for plugins): This should populate the right files that are then used by |
|
Hey Wolf! Thanks for the hint, that looks exactly right! I've been talking to @janjagusch and will work on finishing up this PR. |
|
great! |
…quetz into add-sqlalchemy-authenticator
quetz/authentication/base.py
Outdated
| @@ -109,7 +109,7 @@ async def authorize( | |||
| user_dict = await self._authenticate(request, dao, config) | |||
|
|
|||
| if user_dict is None: | |||
| return Response("login failed") | |||
| return Response("login failed", status_code=401) | |||
There was a problem hiding this comment.
@wolfv, this change affects all authenticators, I believe. I think previously, it would always return 200, even when the login failed. This is not strictly necessary in this PR, so if you want to can remove it/discuss it in a separate PR.
There was a problem hiding this comment.
I'd suggest leaving this out for now and opening a separate PR for it. Will probably make it easier to get this PR merged.
…quetz into add-sqlalchemy-authenticator
…janjagusch/quetz into add-sqlalchemy-authenticator
plugins/quetz_sql_authenticator/tests/test_quetz_sql_authenticator.py
Outdated
Show resolved
Hide resolved
plugins/quetz_sql_authenticator/tests/test_quetz_sql_authenticator.py
Outdated
Show resolved
Hide resolved
plugins/quetz_sql_authenticator/tests/test_quetz_sql_authenticator.py
Outdated
Show resolved
Hide resolved
|
I'm unable to resolve the conversations, but that shouldn't matter I guess. @wolfv do you have any feedback on the current state? Jan's comment might be relevant. |
There was a problem hiding this comment.
I'm the official PR author, but it was mostly @simonbohnen's work.
Hence, I will give this an unofficial approval and proceed to merge.
Awesome work, @simonbohnen!
I've written a basic authenticator, similar to the dict authenticator, that stores credentials as sha256-hashed values in a SQL database. It also ships with CLI tools for CRUD operations on the credentials table (like creating users or updating passwords).
It's built around
sqlmodel, so it should work with any kind of SQL backend.I don't know how you feel about adding more authenticator plugins, so if you feel like I should rather put this in a separate repository, feel free to close this PR.