Optionally authenticated route

[J-Moravec]

I have implemented JWTCookieAuth authentication as per tutorials:

https://docs.litestar.dev/2/usage/security/jwt.html

Now, for my app, I would like to redirect user if they are or are not authenticated or appropriate pages, for instance:

get("/")
def index(request: Request[Any, Any, Any]) -> Redirect:
   if(hasattr(request.user) and request.user is not None:
       return Redirect("/app")
   return Redirect("/login")

which, if user is already logged, redirect user to App. If not, it redirects user to a login page.

Or consider an endpoint /me which could return user name if user is logged and None otherwise.

The problem I am getting is that:

1. If route is using authentication middleware, it is not accessible for authentication access (duh)
2. If route is not using authentication middleware, it will throw misconfiguration exception if user is even trying to be accessed, irrespective if the user is or is not already authenticated, and as I understand it, the user is not even injected into the request even if the user is authenticated.

How are these cases handled? I briefly looked at guards, but haven't tried to implement them yet.

There is question on Stackoverflow, but so far without answers.

https://stackoverflow.com/questions/79828650/how-to-enable-endpoints-with-optional-authentication-using-the-litestar-framewor

[JacobCoffee]

Right off hand I can only think of using a custom auth middleware or maybe guards to exclude a few routes like /me, /, /login, etc. but @provinzkraut or others may have better ideas!

[provinzkraut]

Would the exclude_from_auth=True opt not work for your case?

[J-Moravec]

I already excluded the endpoint from the auth middleware within the middleware using the exclude option (https://docs.litestar.dev/2/usage/security/excluding-and-including-endpoints.html or https://docs.litestar.dev/2/usage/security/jwt.html).

Due to this, and correct me if I am wrong, the route doesn't get "user" injected and specifically throws an error if it is attempted to be accessed, regardless if the user is authenticated or not.

So far I solved it by checking the presence of user token in cookies and redirecting as needed, but this inability to check if the user is or isn't authenticated prevents me from simple checks and i.e. making the classic headbar with "signup / login" when user is not logged and "profile / logout" when user is logged.

I could store the token in the user information (which might solve token revocation) and make checks that way I guess.

I tried to look at the fullstack app, but there is a bit too many abstractions and indirection for my taste.

[provinzkraut]

Ah, got it. The way I do it usually looks something like this:

async def provide_user(request: Request) -> User | None:
    if "user" in request.scope:
        return request.user
    return None

@get("/")
async def index(user: User | None)
    if user is None:
        return Redirect("/login")
    return Redirect("/app")
 
app = Litestar(
    route_handlers=[index],
    dependencies={"user": provide_user},
)

[J-Moravec]

Ah, interesting, haven't checked the dependencies yet.

I tried to examine the request.scope itself within index, but didn't look like it is carrying user even when authenticated.

[provinzkraut]

I tried to examine the request.scope itself within index, but didn't look like it is carrying user even when authenticated.

I'm quite sure it does, since all request.user does is check the same thing before accessing it:

litestar/litestar/connection/base.py

Lines 249 to 252 in 971ee79

	if "user" not in self.scope:
	raise ImproperlyConfiguredException("'user' is not defined in scope, install an AuthMiddleware to set it")
	return cast("UserT", self.scope["user"])

[Isgotkowitz]

I put this answer on StackOverflow, but I'll reiterate here as well.

My solution to this was to set exclude_from_auth=True on the endpoint, and define a function to check the request for a valid token and authorize the requester if one was found.

def authenticate_manually(request: Request) -> User | None:
    auth_header = request.headers.get("Authorization", "")
    if not auth_header.startswith("Bearer "):
        return None

    try:
        token_str = auth_header[7:]
        token = Token.decode(
            token_str, settings.JWT_SECRET, algorithm=settings.JWT_ALGORITHM
        )
        DB.get_user(token.sub)
    except (KeyError, ValueError, NotFoundException):
        return None


@get("/some-path", exlude_from_auth=True)
def some_route_handler(request: Request[User, Token, Any]) -> Any:
    user = authenticate_manually(request)
    if user:
        pass  # Set some data based on the user
    else:
        pass  # Set data to a hardcoded value

I like @provinzkraut's idea, it is probably possible to rework this as a dependency which would be a cleaner solution IMO.