Flask Reference
Installation
pip install propelauth_flask
Initialize
init_auth
performs a one-time initialization of the library.
It will verify your api_key
is correct and fetch the metadata needed to verify access tokens in require_user and optional_user.
In serverless environments, it's beneficial to skip the fetch, in which case you can pass in token_verification_metadata
instead of having the library fetch it. You can find your verifier key and issuer URL in the Backend Integration page in your PropelAuth dashboard.
from propelauth_flask import init_auth
auth = init_auth("YOUR_AUTH_URL", "YOUR_API_KEY")
Protect API Routes
Protecting an API route is as simple as adding a decorator to the route.
None of the decorators make a external request to PropelAuth. They all are verified locally using the access token provided in the request, making it very fast.
require_user
A decorator that will verify the request was made by a valid user. If a valid access token is provided, it will return a User Class. If not, the request is rejected with a 401 status code.
from flask import Flask
from propelauth_flask import init_auth, current_user
app = Flask(__name__)
auth = init_auth("YOUR_AUTH_URL", "YOUR_API_KEY")
@app.route("/api/whoami")
@auth.require_user
def who_am_i():
"""This route is protected, current_user is always set"""
return {"user_id": current_user.user_id}
optional_user
Similar to require_user, except if an access token is missing or invalid, the request is allowed to continue, but current_user.exists()
will be False
.
from flask import Flask
from propelauth_flask import init_auth, current_user
app = Flask(__name__)
auth = init_auth("YOUR_AUTH_URL", "YOUR_API_KEY")
@app.route("/api/whoami_optional")
@auth.optional_user
def who_am_i_optional():
if current_user.exists():
return {"user_id": current_user.user_id}
return {}
current_user
A per-request value that contains user information for the user making the request. It's set by one of require_user or optional_user.
It has all the fields on the User class, as well as an exists()
method that returns True
if the user exists.
The only time exists()
will return False
is if you are using optional_user and no valid access token was provided.
If you want to take advantage of type support, you can import the User
class to define a new user variable.
from flask import Flask
from propelauth_flask import init_auth, current_user, User
app = Flask(__name__)
auth = init_auth("YOUR_AUTH_URL", "YOUR_API_KEY")
@app.route("/api/whoami")
@auth.require_user
def who_am_i():
user: User = current_user.user
return {"user_id": user.user_id}
Authorization / Organizations
You can also verify which organizations the user is in, and which roles and permissions they have in each organization all through the User Class.
Check Org Membership
Verify that the request was made by a valid user and that the user is a member of the specified organization. This can be done using the User class.
@app.route("/api/org/<org_id>", methods=['GET'])
@auth.require_user
def org_membership(org_id):
org = current_user.get_org(org_id)
if org == None:
# return 403 error
return f"You are in org {org.org_name}"
Check Org Membership and Role
Similar to checking org membership, but will also verify that the user has a specific Role in the organization. This can be done using either the User or OrgMemberInfo classes.
A user has a Role within an organization. By default, the available roles are Owner, Admin, or Member, but these can be configured. These roles are also hierarchical, so Owner > Admin > Member.
## Assuming a Role structure of Owner => Admin => Member
@app.route("/api/org/<org_id>", methods=['GET'])
@auth.require_user
def org_owner(org_id):
org = current_user.get_org(org_id)
if (org == None) or (org.user_is_role("Owner") == False):
# return 403 error
return f"You are in org {org.org_name}"
Check Org Membership and Permission
Similar to checking org membership, but will also verify that the user has the specified permission in the organization. This can be done using either the User or OrgMemberInfo classes.
Permissions are arbitrary strings associated with a role. For example, can_view_billing
, ProductA::CanCreate
, and ReadOnly
are all valid permissions.
You can create these permissions in the PropelAuth dashboard.
@app.route("/api/org/<org_id>", methods=['GET'])
@auth.require_user
def org_billing(org_id):
org = current_user.get_org(org_id)
if (org == None) or (org.user_has_permission("can_view_billing") == False):
# return 403 error
return f"You can view billing information for org {org.org_name}"
User
The User Class contains information about the user that made the request. It can be retrieved by using the require_user decorator.
@app.route("/api/whoami")
@auth.require_user
def who_am_i():
return {"user_id": current_user.user_id}
If you want full type support for the User Class,
- Name
user_id
- Type
- string
- Description
The unique id of the user.
- Name
org_id_to_org_member_info
- Type
- dict
- Description
A dictionary mapping from organization id to OrgMemberInfo Class.
- Name
email
- Type
- string
- Description
The email of the user.
- Name
first_name
- Type
- string
- Description
The first name of the user.
- Name
last_name
- Type
- string
- Description
The last name of the user.
- Name
username
- Type
- string
- Description
The username of the user.
- Name
properties
- Type
- dict
- Description
A dictionary of custom properties associated with the user.
- Name
legacy_user_id
- Type
- string
- Description
If the user was migrated using our Migration API, this will be the id of the user in the legacy system.
- Name
impersonator_user_id
- Type
- string
- Description
If the user is being impersonated, this is id of the user that impersonated them.
- Name
active_org_id
- Type
- string | undefined
- Description
Returns the ID of the Active Org, if the user has an Active Org set.
- Name
login_method
- Type
- object
- Description
The method the user used to log in. Returns the Login Method Property.
- Name
is_impersonated()
- Type
- bool
- Description
True if the user is being impersonated.
- Name
get_active_org()
- Type
- dict
- Description
Returns the OrgMemberInfo of the Active Org, if the user has an Active Org set.
- Name
get_active_org_id()
- Type
- string
- Description
Returns the ID of the Active Org, if the user has an Active Org set.
- Name
get_org(org_id)
- Type
- dict
- Description
Returns the org member info for the org_id, if the user is in the org.
- Name
get_org_by_name(org_name)
- Type
- dict
- Description
Returns the org member info for the org_name, if the user is in the org.
- Name
get_user_property(property_name)
- Description
Returns the user property value, if it exists.
- Name
get_orgs()
- Type
- array
- Description
Returns the orgs the user is in.
- Name
is_role_in_org(org_id, role)
- Type
- bool
- Description
Returns true if the user is the role in the org.
- Name
is_at_least_role_in_org(org_id, role)
- Type
- bool
- Description
Returns true if the user is at least the role in the org.
- Name
has_permission_in_org(org_id, permission)
- Type
- bool
- Description
Returns true if the user has the permission in the org.
- Name
has_all_permissions_in_org(org_id, permissions)
- Type
- bool
- Description
Returns true if the user has all the permissions in the org.
OrgMemberInfo
The OrgMemberInfo Class contains information about the user's membership in an organization. It can be retrieved by first getting the User Class and using either get_org()
, get_active_org()
, or get_orgs()
.
@app.route("/api/org/<org_id>", methods=['GET'])
@auth.require_user
def org_membership(org_id):
orgMemberInfo = current_user.get_org(org_id)
if orgMemberInfo == None:
# return 403 error
return f"You are in org {orgMemberInfo.org_name}"
- Name
org_id
- Type
- string
- Description
The unique id of the organization.
- Name
org_name
- Type
- string
- Description
The name of the organization.
- Name
org_metadata
- Type
- object
- Description
The metadata associated with the organization.
- Name
user_assigned_role
- Type
- string
- Description
The role of the user in the organization.
- Name
user_inherited_roles_plus_current_role
- Type
- list[string]
- Description
The role of the user within this organization plus each inherited role.
- Name
user_permissions
- Type
- list[string]
- Description
A list of permissions the user has in the organization, based on their role.
- Name
url_safe_org_name
- Type
- string
- Description
A URL-safe version of the org_name property.
- Name
user_is_role
- Type
- fn(role: string) -> bool
- Description
A function that returns true if the user has the specified role in the organization.
- Name
user_is_at_least_role
- Type
- fn(role: string) -> bool
- Description
A function that returns true if the user has at least the specified role in the organization.
- Name
user_has_permission
- Type
- fn(permission: string) -> bool
- Description
A function that returns true if the user has the specified permission in the organization.
- Name
user_has_all_permissions
- Type
- fn(permissions: list[string]) -> bool
- Description
A function that returns true if the user has all of the specified permissions in the organization.
- Name
org_role_structure
- Type
- string
- Description
The role structure set for your project. See multi roles per user for more information.
- Name
assigned_additional_roles
- Type
- list[string]
- Description
If using multiple roles per user, returns an array of roles that the user belongs to. Excludes the
user_assigned_role
.
Calling Backend APIs
You can also use the library to call the PropelAuth APIs directly, allowing you to fetch users, create orgs, and a lot more. See the API Reference for more information.
from propelauth_flask import init_auth
auth = init_auth("YOUR_AUTH_URL", "YOUR_API_KEY")
magic_link = auth.create_magic_link(email="test@example.com")