Flask Reference

Installation

pip install propelauth_flask

Initialize

init_auth performs a one-time initialization of the library. It will verify your api_key is correct and fetch the metadata needed to verify access tokens in require_user, optional_user, or require_org_member.

main.py

from propelauth_flask import init_auth

auth = init_auth("YOUR_AUTH_URL", "YOUR_API_KEY")

Protect API Routes

Protecting an API route is as simple as adding a decorator to the route.

require_user

A decorator that will verify the request was made by a valid user. If a valid access token is provided, it will return a User object. If not, the request is rejected with a 401 status code.

from flask import Flask
from propelauth_flask import init_auth, current_user

app = Flask(__name__)
auth = init_auth("YOUR_AUTH_URL", "YOUR_API_KEY")

@app.route("/api/whoami")
@auth.require_user
def who_am_i():
    """This route is protected, current_user is always set"""
    return {"user_id": current_user.user_id}

optional_user

Similar to require_user, except if an access token is missing or invalid, the request is allowed to continue, but current_user.exists() will be False.

from flask import Flask
from propelauth_flask import init_auth, current_user

app = Flask(__name__)
auth = init_auth("YOUR_AUTH_URL", "YOUR_API_KEY")

@app.route("/api/whoami_optional")
@auth.optional_user
def who_am_i_optional():
    if current_user.exists():
        return {"user_id": current_user.user_id}
    return {}

current_user

A per-request value that contains user information for the user making the request. It's set by one of require_user, optional_user, or require_org_member.

It has all the fields on the User class, as well as an exists() method that returns True if the user exists. The only time exists() will return False is if you are using optional_user and no valid access token was provided.


Authorization

require_org_member

A decorator that will verify that the request was made by a valid user and that the user is a member of the specified organization. This function will set the current_org object if the user is a member of the specified organization, otherwise it will return a 403 status code.

Typically, the organization id is passed in from the frontend as a path or query parameter. By default, it will look for org_id in the path parameters, but you can override this by passing in a function to req_to_org_id.

@app.route("/org/<org_id>/check")
@auth.require_org_member()
def hello(org_id):
    return f"You are in {current_org.org_name}"

require_org_member_with_minimum_role

Similar to require_org_member, but will also verify that the user has at least the specified role in the organization.

A user has a Role within an organization. By default, the available roles are Owner, Admin, or Member, but these can be configured. These roles are also hierarchical, so Owner > Admin > Member.

## Assuming a Role structure of Owner => Admin => Member

@app.route("/org/<org_id>/admin_or_owner")
@auth.require_org_member_with_minimum_role("Admin")
def admin_or_owner(org_id):
   return f"You are an Admin or Owner of {current_org.org_name}"

require_org_member_with_exact_role

Similar to require_org_member, but will also verify that the user has the exact specified role in the organization.

A user has a Role within an organization. By default, the available roles are Owner, Admin, or Member, but these can be configured. These roles are also hierarchical, so Owner > Admin > Member.

## Assuming a Role structure of Owner => Admin => Member

@app.route("/org/<org_id>/admin")
@auth.require_org_member_with_exact_role("Admin")
def admin(org_id):
   return f"You are an Admin of {current_org.org_name}"

require_org_member_with_permission

Similar to require_org_member, but will also verify that the user has the specified permission in the organization.

Permissions are arbitrary strings associated with a role. For example, can_view_billing, ProductA::CanCreate, and ReadOnly are all valid permissions. You can create these permissions in the PropelAuth dashboard.

@app.route("/org/<org_id>/billing")
@auth.require_org_member_with_permission("can_view_billing")
def billing(org_id):
   return f"You can view billing for {current_org.org_name}"

require_org_member_with_all_permissions

The batch version of require_org_member_with_permission, which will verify that the user has all of the specified permissions in the organization.

@app.route("/org/<org_id>/billing")
@auth.require_org_member_with_all_permissions(["can_view_billing", "can_view_billing_details"])
def billing(org_id):
   return f"You can view billing for {current_org.org_name}"

current_org

A per-request value that contains information about the organization the user is a member of. It's set by one of require_org_member, require_org_member_with_minimum_role, require_org_member_with_exact_role, require_org_member_with_permission, or require_org_member_with_all_permissions.

See OrgMemberInfo for more information.


User

The User object contains information about the user that made the request.

  • Name
    user_id
    Type
    string
    Description

    The unique id of the user.

  • Name
    org_id_to_org_member_info
    Type
    dict
    Description

    A dictionary mapping from organization id to OrgMemberInfo object.

  • Name
    email
    Type
    string
    Description

    The email of the user.

  • Name
    first_name
    Type
    string
    Description

    The first name of the user.

  • Name
    last_name
    Type
    string
    Description

    The last name of the user.

  • Name
    username
    Type
    string
    Description

    The username of the user.

  • Name
    legacy_user_id
    Type
    string
    Description

    If the user was migrated using our Migration API, this will be the id of the user in the legacy system.

  • Name
    is_impersonated()
    Type
    bool
    Description

    True if the user is being impersonated.

  • Name
    impersonator_user_id
    Type
    string
    Description

    If the user is being impersonated, this is id of the user that impersonated them.

  • Name
    properties
    Type
    dict
    Description

    A dictionary of custom properties associated with the user.


OrgMemberInfo

The OrgMemberInfo object contains information about the user's membership in an organization.

  • Name
    org_id
    Type
    string
    Description

    The unique id of the organization.

  • Name
    org_name
    Type
    string
    Description

    The name of the organization.

  • Name
    org_metadata
    Type
    object
    Description

    The metadata associated with the organization.

  • Name
    user_assigned_role
    Type
    string
    Description

    The role of the user in the organization.

  • Name
    user_permissions
    Type
    list[string]
    Description

    A list of permissions the user has in the organization, based on their role.

  • Name
    user_is_role
    Type
    fn(role: string) -> bool
    Description

    A function that returns true if the user has the specified role in the organization.

  • Name
    user_is_at_least_role
    Type
    fn(role: string) -> bool
    Description

    A function that returns true if the user has at least the specified role in the organization.

  • Name
    user_has_permission
    Type
    fn(permission: string) -> bool
    Description

    A function that returns true if the user has the specified permission in the organization.

  • Name
    user_has_all_permissions
    Type
    fn(permissions: list[string]) -> bool
    Description

    A function that returns true if the user has all of the specified permissions in the organization.


Calling Backend APIs

You can also use the library to call the PropelAuth APIs directly, allowing you to fetch users, create orgs, and a lot more. See the API Reference for more information.