gws.base.auth.sql_provider

Base provider for the sql-based authorization.

SQL-based authentication works by executing SELECT queries against a SQL provider.

The “authorization” query receives the parameters “username”, “password”, and/or “token” from an authentication method. If the query doesn’t return any rows, the next authentication provider is attempted. Otherwise, exactly one row should be returned with at least the following columns:

  • validuser (bool) - mandatory, should be “true” if the user is allowed to log in

  • validpassword (bool) - mandatory, should be “true” if the password is valid

  • uid - mandatory, user id

  • roles - optional, comma-separated list of roles

  • displayname - optional, user’s display name

  • login - optional, user’s login name

If more columns are returned, they become attributes of the User object and can be used for templating.

The “getUser” query receives user ID as a parameter and should return a record for this user.

Example configuration (assuming Postgres with pgcrypto):

auth.providers+ {
    type "sql"

    authorizationSql '''
        SELECT
            user.id
                AS uid,
            user.first_name || ' ' || user.last_name
                AS displayname,
            user.login
                AS login,
            user.is_enabled
                AS validuser,
            ( passwd = crypt({{password}}, passwd) )
                AS validpassword
        FROM
            public.user
        WHERE
            user.login = {{username}}
    '''

    getUserSql '''
        SELECT
            user.id
                AS uid,
            user.first_name || ' ' || user.last_name
                AS displayname,
            user.login
                AS login
        FROM
            public.user
        WHERE
            user.id = {{uid}}
    '''
}

Source code: gws.base.auth.sql_provider

Module Contents

class gws.base.auth.sql_provider.Config

Bases: gws.base.auth.provider.Config

SQL-based authorization provider

dbUid: str | None

Database provider uid

authorizationSql: str

Authorization SQL statement

getUserSql: str

User data SQL statement

class gws.base.auth.sql_provider.Placeholders

Bases: gws.Enum

Enumeration type.

Despite being declared as extending Enum (for IDE support), this class is actually just a simple object and intended to be used as a collection of attributes. It doesn’t provide any Enum-specific utilities.

The rationale behind this is that we need Enum members (e.g. Color.RED) to be scalars, and not complex objects as in the standard Enum.

username = 'username'
password = 'password'
token = 'token'
uid = 'uid'
class gws.base.auth.sql_provider.Columns

Bases: gws.Enum

Enumeration type.

Despite being declared as extending Enum (for IDE support), this class is actually just a simple object and intended to be used as a collection of attributes. It doesn’t provide any Enum-specific utilities.

The rationale behind this is that we need Enum members (e.g. Color.RED) to be scalars, and not complex objects as in the standard Enum.

validuser = 'validuser'
validpassword = 'validpassword'
uid = 'uid'
roles = 'roles'
displayname = 'displayname'
login = 'login'
class gws.base.auth.sql_provider.Object

Bases: gws.base.auth.provider.Object

dbProvider: gws.DatabaseProvider
authorizationSql: str
getUserSql: str
configure()
authenticate(method, credentials)
get_user(local_uid)