mkhorasani
Passing on st.session_state["password"] for further POST/Login request, but safely?
Hi, Instead of authenticating against the local config.yaml as showcased in the part 1 - streamlit authenticator tutorial, my use case would be passing on:
- user's email
- user's password
to the body of a POST/Login request, to access a 3rd-party service that, when authentication succeeds, spits back a token that expires after x hours.
For now, I locally modded the login method within the Authenticate class as follows (which I believe is not good practice...) as it reveals the password when unpacking...
def login(self, form_name: str, location: str='main') -> tuple:
...
login_form.subheader(form_name)
self.username = login_form.text_input('Username').lower()
st.session_state['username'] = self.username
self.password = login_form.text_input('Password', type='password')
st.session_state['password'] = self.password
if login_form.form_submit_button('Login'):
self._check_credentials()
return st.session_state['name'], st.session_state['authentication_status'], st.session_state['username'], st.session_state['password']
Note, as a less worse measure, I also tried to use the hasher instead of the bare self.password, but couldn't figure it out...
As I write I'm thinking I could try to "plug" an intermediary custom method within the class definition, that would somehow capture the prompted credentials at submit time. Has anyone encountered the same use case and/or difficulty? If so, how would you or how did you treat it?
Thanks in advance,
@alicecommits I opened https://github.com/mkhorasani/Streamlit-Authenticator/issues/65 describing similar problem. I also posted there a workaround that I am currently using. You can check it.
Hi @Ota-Sandr-MamaAI , I had checked your issue indeed. I wasn't sure back then that my query was related,so I opened this issue. I can try and template my idea based on your workaround. Thanks :)