Show community: starlette-auth-toolkit

Hey,

I know there have been discussions on expanding Starlette’s security features, in particular password hashing (discussed in depth here and here).

I’ve also seen that security is a hard topic to tackle from Starlette’s perspective, because it touches so many subtle topics and making just too many assumptions can make or break its reusability in other situations.

Some time ago I started experimenting with building an external library to address security/authentication for Starlette-based apps. and frameworks.

The general idea behind starlette-auth-toolkit is to build on top of Starlette’s authentication abstractions, be as agnostic of the storage and user layers as possible, and provide shortcuts for some common use cases as well.

The first step was providing a basic implementation of the Basic Auth flow. In the past few days, and after a lot of API tinkering, I’ve added support for more flows and but also password hashing and a few other helpers, as well as integration with orm.

The too-specific character of the requires() decorator hinted in #574 could be IMO resolved by turning it into a base helper into starlette-auth-toolkit — a base implementation which lets the user (framework builders, app integrators, etc) define the specifics of. One example of this concept is the already implemented BaseAuthenticate helper for building authenticate()-like utility functions.

Anyway, I’d love to have anyone’s thoughts on this concept, the current features and how this could fit in the Starlette/async Python web ecosystem. :raised_hands:

Repo + docs are here: https://github.com/florimondmanca/starlette-auth-toolkit

3 Likes

I drafted what a more generic requires() decorator (working at the ASGI level) could look like here: https://github.com/florimondmanca/starlette-auth-toolkit/issues/20

1 Like