Exported source
signin_completed_rt = "/signin_completed"Auth
Client side logic to add Plash Auth to your app
This page describes how Plash Auth is implemented client side.
Please see the how to for instructions on how to use it.
Redirect route
The signin completion route is where Plash Auth redirects users after authentication. Your app needs to add this route to complete the login.
mk_signin_url
mk_signin_url (session:dict, email_re:str=None, hd_re:str=None)
Generate a Google Sign-In URL for Plash authentication.
| Type | Default | Details | |
|---|---|---|---|
| session | dict | Session dictionary | |
| email_re | str | None | Regex filter for allowed email addresses |
| hd_re | str | None | Regex filter for allowed Google hosted domains |
mk_signin_url is the function your app calls to create a Google signin URL for the user.
In development mode, it returns a mock URL to make testing easier.
In production, it calls the Plash Auth service and stores the request ID in the session for later verification.
After Google authentication, Plash sends back a JSON Web Token (JWT) containing the user’s information. This function decodes and validates that token using the ES256 public key. If anything goes wrong with the JWT, it returns error details instead of crashing.
Note
A JWT does not mean the message is encrypted. It ensures data integrity and authenticity, it protects against tampering and forgery. We use JWT tokens so your app can trust that the sign-in information and user details it receives after authentication really come from Plash (and by extension, Google), and have not been modified by an attacker.
PlashAuthError
Raised when Plash authentication fails
PlashAuthError is a custom exception for when authentication fails. This makes it easier for your app to handle auth errors specifically.
Please see the auth example for an example on how you can catch this exception in your application.
goog_id_from_signin_reply
goog_id_from_signin_reply (session:dict, reply:str)
Validate Google sign-in reply and returns Google user ID if valid.
| Type | Details | |
|---|---|---|
| session | dict | Session dictionary containing ‘req_id’ |
| reply | str | The JWT reply string from Plash after Google authentication |
goog_id_from_signin_reply is the function your app calls in the signin completion route. It verifies the JWT reply matches the original request (preventing CSRF attacks), checks for any authentication errors, and returns the user’s Google ID if everything is valid.
When testing locally this will always return the mock Google ID '424242424242424242424'.