reflex icon indicating copy to clipboard operation
reflex copied to clipboard
verified publisher icon reflex-dev

Check if the user is logged before accessing pages

Open HellAmbro opened this issue 2 years ago β€’ 8 comments

I've noticed that there is no way to check if access to a page is allowed, maybe after a login. I would like to know if there is a way to prevent a non-logged user from accessing pages, either with a 403 error or with a redirect. Thanks.

HellAmbro avatar Mar 08 '23 00:03 HellAmbro

I think pc.redirect could work for this where you check if the user is logged in before redirecting, in terms on not loading the page you could check if the users is logged in before loading any data on the page.

If you want something more robust like prohibiting pages based on something in your state I can look into implementing this.

Alek99 avatar Mar 08 '23 05:03 Alek99

You can just use this : if request.user.is_authenticated: #redirect else: #403 page

DaivatJadav avatar Mar 08 '23 06:03 DaivatJadav

I think pc.redirect could work for this where you check if the user is logged in before redirecting, in terms on not loading the page you could check if the users is logged in before loading any data on the page.

If you want something more robust like prohibiting pages based on something in your state I can look into implementing this.

Thanks for your answer. Yes with pc.redirect we can do this. But i'm looking for a way to prohibit access to pages if navigated from url directly. I will try to explain better. I've for example a login page at /login and a main page at /main. The user must login before entering the main page, if it navigate to /main it can see the page, even without data, but the structure of the page with hardcoded data is also exposed and i think that this is not good. I've tried this but i don't know if there is a better solution. return pc.cond(State.is_logged, home(), error403()) where is_logged is a boolean variable set to True after the login.

HellAmbro avatar Mar 08 '23 10:03 HellAmbro

You can just use this : if request.user.is_authenticated: #redirect else: #403 page

Where should i use this, inside the auth method? But if i go directly to the link? That's my problem. I want to prevent users to access some pages without auth.

HellAmbro avatar Mar 08 '23 10:03 HellAmbro

Where should i use this, inside the auth method? But if i go directly to the link? That's my problem. I want to prevent users to access some pages without auth.

You would need to utilize cookies for that. As much as I know, Pynecone does not support that at the moment, if ever. Pynecone is not a suited framework for websites that have authentication. I don't understand why some people like Line Indent do tutorials on a login page and Pynecone advertising it, when it isn't really useful anyway because anyone could just skip to the next URL.

seradotflac avatar Mar 09 '23 18:03 seradotflac

@HellAmbro I think your method of using the cond makes sense. You can add an on_load event to your page that will trigger when the page loads - and it can redirect them if they are not logged in. This can prevent them from accessing the page.

@nshout We're still pretty new but our goal is to support all features of traditional webdev, including cookies in the future.

picklelo avatar Mar 09 '23 22:03 picklelo

@HellAmbro I think your method of using the cond makes sense. You can add an on_load event to your page that will trigger when the page loads - and it can redirect them if they are not logged in. This can prevent them from accessing the page.

@nshout We're still pretty new but our goal is to support all features of traditional webdev, including cookies in the future.

Thanks, i've tried but it doesn't seem to work, maybe i was wrong.

app.add_page(home, on_load=State.is_authenticated)

class State(pc.State):

    username: str
    logged_in: bool = False

    def is_authenticated(self):
        if not self.logged_in:
            return pc.redirect("/403")

logged_in is correctly set (I've followed Twitter example) if I login, but when i try to navigate to /home the page is still loaded. How can i fix that and redirect the user to error page? Thanks

HellAmbro avatar Mar 10 '23 15:03 HellAmbro

@HellAmbro I think the way you are doing it is correct.

However, on_load event chain are still broken (the function execute, but not the one chained (in your case pc.redirect) so once this is fixed it will worked.

Lendemor avatar Mar 14 '23 00:03 Lendemor

@Alek99

pc.redirect doesn't do anything if it is in "State" and loaded from an on_load in add_page. (Chained)

The label is not "enhancement" at this point anymore, its a "bug"/"needs investigation". I have not seen this issue as an already reported issue, if it is, apologies.

As seen on this code by @HellAmbro

class State(pc.State):

   username: str
   logged_in: bool = False

   def is_authenticated(self):
       if not self.logged_in:
           return pc.redirect("/403")

And as stated by @Lendemor

However, on_load event chain are still broken (the function execute, but not the one chained (in your case pc.redirect) so once this is fixed it will worked.

@picklelo

@nshout We're still pretty new but our goal is to support all features of traditional webdev, including cookies in the future.

I totally understand that, I forgot how new Pynecone actually is and that it's not ready for production as of now. I truly have high hopes, as Pynecone seems to enable what many Python devs are looking for or are dreaming of.

Apologies for everyone that I tagged.

seradotflac avatar Mar 21 '23 23:03 seradotflac