How to achieve multiple authetication middlewares

[Murtagy]

I am doing server side session authentication. I have 2 groups of users - "users" / administrators and customers. A person may be an administrator and user same time. So these are 2 different entities.
I want to have sessions of users in 1 folder, and sessions of final customers in the other.
So 1 "app" needs to operate on e.g. usual "session" cookie and a folder called "user_sessions".
Another "app" needs to operate on e.g. "customer_session" cookie and a folder called "customer_sessions".
What building blocks can help to achieve this?

[peterschutt]

My first instinct would be to use a single auth mw, and use roles to authorize routes.

Something like this:

from typing import Any, Dict, Optional, Set

import msgspec
from typing_extensions import Annotated, TypeAlias

from litestar import Litestar, Request, get, post
from litestar.connection import ASGIConnection
from litestar.dto import DTOData, DTOField, Mark, MsgspecDTO
from litestar.exceptions import NotAuthorizedException, PermissionDeniedException
from litestar.handlers import BaseRouteHandler
from litestar.middleware.session.client_side import ClientSideSessionBackend, CookieBackendConfig
from litestar.security.session_auth import SessionAuth
from litestar.testing import TestClient
from litestar.types import Guard

AnyConnection: TypeAlias = ASGIConnection[Any, Any, Any, Any]


class User(msgspec.Struct):
    name: str
    roles: Annotated[Set[str], DTOField(mark=Mark.PRIVATE)]


MOCK_DB: Dict[str, User] = {
    "only-admin": User(name="only-admin", roles={"admin"}),
    "admin-and-customer": User(name="admin-and-customer", roles={"admin", "customer"}),
    "only-customer": User(name="only-customer", roles={"customer"}),
}


async def retrieve_user_handler(session: Dict[str, Any], _: AnyConnection) -> Optional[User]:
    user_name = session.get("user_name")
    return MOCK_DB.get(user_name or "")


@post("/login", dto=MsgspecDTO[User])
async def login(data: DTOData[User], request: Request[Any, Any, Any]) -> User:
    user_name = data.as_builtins()["name"]

    try:
        user = MOCK_DB[user_name]
    except KeyError as e:
        raise NotAuthorizedException from e

    request.set_session({"user_name": user.name, "admin_data": {"hits": 0}, "customer_data": {"hits": 0}})
    return user


def create_guard(permissions: Set[str]) -> Guard:
    def guard(request: AnyConnection, _: BaseRouteHandler) -> None:
        if not request.user or not permissions.issubset(request.user.roles):
            raise PermissionDeniedException

    return guard


@get("/customer-only", guards=[create_guard({"customer"})], sync_to_thread=False)
def for_customers(request: Request[User, Any, Any]) -> Dict[str, Any]:
    session = request.session
    session["customer_data"]["hits"] += 1
    return {"customer-data-for": request.user.name, "hits": session["customer_data"]["hits"]}


@get("/admin-only", guards=[create_guard({"admin"})], sync_to_thread=False)
def for_admins(request: Request[User, Any, Any]) -> Dict[str, Any]:
    session = request.session
    session["admin_data"]["hits"] += 1
    return {"admin-data-for": request.user.name, "hits": session["admin_data"]["hits"]}


session_auth = SessionAuth[User, ClientSideSessionBackend](
    retrieve_user_handler=retrieve_user_handler,
    session_backend_config=CookieBackendConfig(secret=b"the-super-secret"),
    exclude=["/login"],
)


app = Litestar(
    route_handlers=[login, for_admins, for_customers],
    on_app_init=[session_auth.on_app_init],
    openapi_config=None,
    debug=True,
)


def test_no_user() -> None:
    with TestClient(app) as client:
        response = client.get("/admin-only")
        assert response.status_code == 401

        response = client.get("/customer-only")
        assert response.status_code == 401


def test_admin_only_user() -> None:
    with TestClient(app) as client:
        response = client.post("/login", json={"name": "only-admin"})
        assert response.json() == {"name": "only-admin"}

        response = client.get("/admin-only")
        assert response.status_code == 200
        assert response.json() == {"admin-data-for": "only-admin", "hits": 1}

        response = client.get("/customer-only")
        assert response.status_code == 403


def test_customer_only_user() -> None:
    with TestClient(app) as client:
        response = client.post("/login", json={"name": "only-customer"})
        assert response.json() == {"name": "only-customer"}

        response = client.get("/admin-only")
        assert response.status_code == 403

        response = client.get("/customer-only")
        assert response.status_code == 200
        assert response.json() == {"customer-data-for": "only-customer", "hits": 1}


def test_admin_and_customer_user() -> None:
    with TestClient(app) as client:
        response = client.post("/login", json={"name": "admin-and-customer"})
        assert response.json() == {"name": "admin-and-customer"}

        response = client.get("/admin-only")
        assert response.status_code == 200
        assert response.json() == {"admin-data-for": "admin-and-customer", "hits": 1}

        response = client.get("/customer-only")
        assert response.status_code == 200
        assert response.json() == {"customer-data-for": "admin-and-customer", "hits": 1}

I want to have sessions of users in 1 folder, and sessions of final customers in the other.

By this, I assume that you mean you'd have the admin routes organized in a separate directory from the customer routes. In this case, you could register the guard on a router that represented the tree of routes for that permission group, instead of directly on the handler like in the example.

[Murtagy]

Great answer and examples! Thank you.

The roles approach seems not fit my case as the "User" is not shared entity.

For illustration imagine Amazon the book store.
You have sellers, owners of the shop. They register with their business details, they administrate the shop and get the bills. e.g They log in using their username and password, we issue them a session.

There are customers, which login with e.g. Google auth and we craft them a session. They shop, put goods into basket, pay with credit card, etc.

In my website I expect that administrators may be themselves customers on the same device. And they are not doing that as a part of their business, that is simply the same device used.
So I thought of routes under /business/* have one session and /shop/* have another session. If I have a common session and use data on it to identify customer or shop owner - then I basically need to put a sub-session into it. And I can not log user out in only /business easily.

I will test an approach of controller specific auth middleware for that purpose, but I am not sure if mechanisms as request.set_session work well with that approach

[Murtagy]

I think the following acts as I expect, although I am not sure if there is a better way or if I do the thing "by the book".

from typing import Any, Dict, Optional

import msgspec
from typing_extensions import TypeAlias

from litestar.stores.file import FileStore
from litestar import Litestar, Request, get, post, Controller
from litestar.connection import ASGIConnection
from litestar.dto import DTOData, MsgspecDTO
from litestar.exceptions import NotAuthorizedException
from litestar.middleware.session.server_side import ServerSideSessionBackend, ServerSideSessionConfig
from litestar import  Router

from litestar.security.session_auth import SessionAuth
from litestar.testing import TestClient

AnyConnection: TypeAlias = ASGIConnection[Any, Any, Any, Any]


class Customer(msgspec.Struct):
    customer_id: str


class Business(msgspec.Struct):
    business_id: str



MOCK_DB_CUSTOMERS: Dict[str, Customer] = {
    "1": Customer('1')
}

MOCK_DB_BUSINESS: Dict[str, Business] = {
    "A": Business('A')
}



async def retrieve_customer_handler(session: Dict[str, Any], _: AnyConnection) -> Optional[Customer]:
    return MOCK_DB_CUSTOMERS.get(session.get("customer_id") or "")


async def retrieve_business_handler(session: Dict[str, Any], _: AnyConnection) -> Optional[Business]:
    return MOCK_DB_BUSINESS.get(session.get("business_id") or "")



customer_session_auth = SessionAuth[Customer, ServerSideSessionBackend](
    retrieve_user_handler=retrieve_customer_handler,
    session_backend_config=ServerSideSessionConfig(store='customer_sessions', key='customer_session'),
)
business_session_auth = SessionAuth[Customer, ServerSideSessionBackend](
    retrieve_user_handler=retrieve_business_handler,
    session_backend_config=ServerSideSessionConfig(store='business_sessions', key='business_session'),
)


class CustomerController(Controller):
    middleware = [customer_session_auth.middleware]
    
    @get('/')
    def handler(self, request: Request) -> None:
        return None


    @post("/login_customer", dto=MsgspecDTO[Customer], exclude_from_auth=True)
    async def login_customer(self, data: DTOData[Customer], request: Request[Any, Any, Any]) -> Customer:
        # I skipped locating the customer and actual auth stuff, just provide an id of user to login (example only)
        customer_id = data.as_builtins()['customer_id']
        try:
            customer = MOCK_DB_CUSTOMERS[customer_id]
        except KeyError as e:
            raise NotAuthorizedException from e

        request.set_session({"customer_id": customer_id})
        return customer



class BusinessController(Controller):
    middleware = [business_session_auth.middleware]
    
    @get('/', sync_to_thread=False)
    def handler(self, request: Request) -> None:
        return None

    @post("/login_business", dto=MsgspecDTO[Business], exclude_from_auth=True)
    async def login_business(self, data: DTOData[Business], request: Request[Any, Any, Any]) -> Business:
        # I skipped locating the business and actual auth stuff, just provide an id of user to login (example only)
        business_id = data.as_builtins()['business_id']
        try:
            business = MOCK_DB_BUSINESS[business_id]
        except KeyError as e:
            raise NotAuthorizedException from e

        request.set_session({"business_id": business_id})
        return business


app = Litestar(
    route_handlers=[
        Router('/b', route_handlers=[BusinessController]),
        Router('/c', route_handlers=[CustomerController]),
    ],
    # on_app_init=[session_auth.on_app_init],
    openapi_config=None,
    debug=True,
    stores={
        "business_sessions": FileStore('/tmp/business_sessions'),
        "customer_sessions": FileStore('/tmp/customer_sessions')
    }
)


def test_no_user() -> None:
    with TestClient(app) as client:
        response = client.get("/c/")
        assert response.status_code == 401

        response = client.get("/b/")
        assert response.status_code == 401


def test_business_only_user() -> None:
    with TestClient(app) as client:
        response = client.post("/b/login_business", json={"business_id": "A"})
        assert response.status_code == 201

        response = client.get("/b")
        assert response.status_code == 200

        response = client.get("/c")
        assert response.status_code == 401


def test_customer_only_user() -> None:
    with TestClient(app) as client:
        response = client.post("/c/login_customer", json={"customer_id": "1"})
        assert response.status_code == 201

        response = client.get("/b")
        assert response.status_code == 401

        response = client.get("/c")
        assert response.status_code == 200

def test_business_and_customer_user() -> None:
    with TestClient(app) as client:
        response = client.post("/b/login_business", json={"business_id": "A"})
        assert response.status_code == 201
        
        response = client.post("/c/login_customer", json={"customer_id": "1"})
        assert response.status_code == 201

        response = client.get("/b")
        assert response.status_code == 200

        response = client.get("/c")
        assert response.status_code == 200