I’ve also seen that security is a hard topic to tackle from Starlette’s perspective, because it touches so many subtle topics and making just too many assumptions can make or break its reusability in other situations.
Some time ago I started experimenting with building an external library to address security/authentication for Starlette-based apps. and frameworks.
The general idea behind
starlette-auth-toolkit is to build on top of Starlette’s authentication abstractions, be as agnostic of the storage and user layers as possible, and provide shortcuts for some common use cases as well.
The first step was providing a basic implementation of the Basic Auth flow. In the past few days, and after a lot of API tinkering, I’ve added support for more flows and but also password hashing and a few other helpers, as well as integration with
The too-specific character of the
requires() decorator hinted in #574 could be IMO resolved by turning it into a base helper into
starlette-auth-toolkit — a base implementation which lets the user (framework builders, app integrators, etc) define the specifics of. One example of this concept is the already implemented
BaseAuthenticate helper for building
authenticate()-like utility functions.
Anyway, I’d love to have anyone’s thoughts on this concept, the current features and how this could fit in the Starlette/async Python web ecosystem.
Repo + docs are here: https://github.com/florimondmanca/starlette-auth-toolkit