Auth

Client side logic to add Plash Auth to your app

This page describes how Plash Auth is implemented client side.

Please see the how to for instructions on how to use it.

Redirect route

Exported source

signin_completed_rt = "/signin_completed"

The signin completion route is where Plash Auth redirects users after authentication. Your app needs to add this route to complete the login.

source

mk_signin_url


def mk_signin_url(
    session:dict, # Session dictionary
    email_re:str=None, # Regex filter for allowed email addresses
    hd_re:str=None, # Regex filter for allowed Google hosted domains
):

Generate a Google Sign-In URL for Plash authentication.

mk_signin_url is the function your app calls to create a Google signin URL for the user.

In development mode, it returns a mock URL to make testing easier.

In production, it calls the Plash Auth service and stores the request ID in the session for later verification.

After Google authentication, Plash sends back a JSON Web Token (JWT) containing the user’s information. This function decodes and validates that token using the ES256 public key. If anything goes wrong with the JWT, it returns error details instead of crashing.

Note

A JWT does not mean the message is encrypted. It ensures data integrity and authenticity, it protects against tampering and forgery. We use JWT tokens so your app can trust that the sign-in information and user details it receives after authentication really come from Plash (and by extension, Google), and have not been modified by an attacker.

source

PlashAuthError


def PlashAuthError(
    args:VAR_POSITIONAL, kwargs:VAR_KEYWORD
):

Raised when Plash authentication fails

PlashAuthError is a custom exception for when authentication fails. This makes it easier for your app to handle auth errors specifically.

Please see the auth example for an example on how you can catch this exception in your application.

source

goog_id_from_signin_reply


def goog_id_from_signin_reply(
    session:dict, # Session dictionary containing 'req_id'
    reply:str, # The JWT reply string from Plash after Google authentication
):

Validate Google sign-in reply and returns Google user ID if valid.

goog_id_from_signin_reply is the function your app calls in the signin completion route. It verifies the JWT reply matches the original request (preventing CSRF attacks), checks for any authentication errors, and returns the user’s Google ID if everything is valid.

When testing locally this will always return the mock Google ID '424242424242424242424'.