1

I am making a Facebook login feature in my FastAPI/Starlette app, and have a problem with it.

I see starlette provides some documentation on how to make authentication like:

https://www.starlette.io/authentication/

, but with SSO, I would expect to login a user in a redirect fallback endpoint's view. It seems however, that Starlette only wants me to validate/login user in the middleware's backend, and not directly in the view like you do for example in Django.

What would be the solution to that?

In Django I could do just login(user, request). And here Starlette seems to force me to do it in the Middleware.

tikej
  • 179
  • 1
  • 16
  • The backend shown is for handling Basic authentication - which as an http header in every request. The correct location to handle this is _in a middleware_. Instead you might want to check out FastAPIs authentication tutorial, where the verification of the login happens in a view like you expect: https://fastapi.tiangolo.com/tutorial/security/simple-oauth2/ – MatsLindh Dec 01 '21 at 11:09
  • @MatsLindh, isn't this more for being an oauth service for another app? They seem to check passwords, so this is the part that in my case the Facebook would do... – tikej Dec 01 '21 at 17:44
  • also they are RETURNING the access token, which in my case I would be receiving, not returning it – tikej Dec 01 '21 at 17:46
  • You'd do the same thing, redirect to the provider, receive a callback token to a view, then verify that token with the endpoint. The point of my comment wasn't to say that this was the way to handle oauth2 logins with a third party, but to show how you'd implement authentication without it being a middleware (which were an assumption you made in your question) – MatsLindh Dec 01 '21 at 18:18
  • Okay, but then again, where I would keep the state that the user is being logged in? I can do it as they describe it in the tutorial, using that Depends, but then I would at every "protected" endpoint access need to re-request the token from facebook, so you'd make double the requests... I am thinking now about keeping the value of "user_logged" in the session, after the first time that I receive the token, and the for example checking it in the Backend (if it has access to session). or just making a custom decorator which will check if "user_logged" in session is not None, but wo... – tikej Dec 02 '21 at 15:20
  • but wonder if it is actually good from the security perspective... – tikej Dec 02 '21 at 15:20

0 Answers0