jupyter-server
diff --git a/‎README.md‎
Lines changed: 1 addition & 1 deletion b/‎README.md‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎binder/jupyter_notebook_config.py‎
Lines changed: 2 additions & 2 deletions b/‎binder/jupyter_notebook_config.py‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎jupyverse/__init__.py‎
Lines changed: 8 additions & 0 deletions b/‎jupyverse/__init__.py‎
Lines changed: 8 additions & 0 deletions
diff --git a/‎plugins/auth/fps_auth/backends.py‎
Lines changed: 52 additions & 19 deletions b/‎plugins/auth/fps_auth/backends.py‎
Lines changed: 52 additions & 19 deletions
diff --git a/‎plugins/auth/fps_auth/config.py‎
Lines changed: 0 additions & 1 deletion b/‎plugins/auth/fps_auth/config.py‎
Lines changed: 0 additions & 1 deletion
diff --git a/‎plugins/auth/fps_auth/routes.py‎
Lines changed: 3 additions & 3 deletions b/‎plugins/auth/fps_auth/routes.py‎
Lines changed: 3 additions & 3 deletions
diff --git a/‎plugins/auth/setup.cfg‎
Lines changed: 6 additions & 0 deletions b/‎plugins/auth/setup.cfg‎
Lines changed: 6 additions & 0 deletions
diff --git a/‎plugins/auth_fief/fps_auth_fief/__init__.py‎
Lines changed: 1 addition & 0 deletions b/‎plugins/auth_fief/fps_auth_fief/__init__.py‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎plugins/auth_fief/fps_auth_fief/backend.py‎
Lines changed: 92 additions & 0 deletions b/‎plugins/auth_fief/fps_auth_fief/backend.py‎
Lines changed: 92 additions & 0 deletions
diff --git a/‎plugins/auth_fief/fps_auth_fief/config.py‎
Lines changed: 23 additions & 0 deletions b/‎plugins/auth_fief/fps_auth_fief/config.py‎
Lines changed: 23 additions & 0 deletions
@@ -94,7 +94,7 @@ You can currently authenticate as an anonymous user, or
 ## With collaborative editing
 
 ```bash
-jupyverse --open-browser --auth.collaborative
+jupyverse --open-browser --lab.collaborative
 ```
 
 This is especially interesting if you are "user-authenticated", since your will appear as the
 
@@ -3,7 +3,7 @@
         "jupyverse",
         "--no-open-browser",
         "--auth.mode=noauth",
-        "--auth.collaborative",
+        "--lab.collaborative",
         "--RetroLab.enabled=false",
         "--Lab.base_url={base_url}jupyverse-jlab/",
         "--port={port}",
@@ -17,7 +17,7 @@
         "jupyverse",
         "--no-open-browser",
         "--auth.mode=noauth",
-        "--auth.collaborative",
+        "--lab.collaborative",
         "--JupyterLab.enabled=false",
         "--Lab.base_url={base_url}jupyverse-rlab/",
         "--port={port}",
 
@@ -1 +1,9 @@
+import pkg_resources
+
 __version__ = "0.0.35"
+
+auth = {ep.name: ep.load() for ep in pkg_resources.iter_entry_points(group="jupyverse_auth")}
+User = auth["User"]
+current_user = auth["current_user"]
+update_user = auth["update_user"]
+websocket_auth = auth["websocket_auth"]
@@ -1,5 +1,5 @@
 import uuid
-from typing import Generic, Optional
+from typing import Any, Dict, Generic, List, Optional, Tuple
 
 import httpx
 from fastapi import Depends, HTTPException, Response, WebSocket, status
@@ -19,12 +19,13 @@
 from fastapi_users.db import SQLAlchemyUserDatabase
 from fps.exceptions import RedirectException  # type: ignore
 from fps.logging import get_configured_logger  # type: ignore
+from fps_lab.config import get_lab_config  # type: ignore
 from httpx_oauth.clients.github import GitHubOAuth2  # type: ignore
 from starlette.requests import Request
 
 from .config import get_auth_config
 from .db import User, get_user_db, secret
-from .models import UserCreate
+from .models import UserCreate, UserRead
 
 logger = get_configured_logger("auth")
 
@@ -106,8 +107,10 @@ async def get_user_manager(user_db: SQLAlchemyUserDatabase = Depends(get_user_db
     yield UserManager(user_db)
 
 
-async def get_enabled_backends(auth_config=Depends(get_auth_config)):
-    if auth_config.mode == "noauth" and not auth_config.collaborative:
+async def get_enabled_backends(
+    auth_config=Depends(get_auth_config), lab_config=Depends(get_lab_config)
+):
+    if auth_config.mode == "noauth" and not lab_config.collaborative:
         return [noauth_authentication, github_cookie_authentication]
     else:
         return [cookie_authentication, github_cookie_authentication]
@@ -131,35 +134,33 @@ async def create_guest(user_manager, auth_config):
         password="",
         workspace=global_user.workspace,
         settings=global_user.settings,
+        permissions={},
     )
     return await user_manager.create(UserCreate(**guest))
 
 
-def current_user(resource: Optional[str] = None):
+def current_user(permissions: Optional[Dict[str, List[str]]] = None):
     async def _(
-        request: Request,
         response: Response,
         token: Optional[str] = None,
         user: Optional[User] = Depends(
             fapi_users.current_user(optional=True, get_enabled_backends=get_enabled_backends)
         ),
         user_manager: UserManager = Depends(get_user_manager),
         auth_config=Depends(get_auth_config),
+        lab_config=Depends(get_lab_config),
     ):
         if auth_config.mode == "user":
             # "user" authentication: check authorization
-            if user and resource:
-                # check if allowed to access the resource
-                permissions = user.permissions.get(resource, [])
-                if request.method in ("GET", "HEAD"):
-                    if "read" not in permissions:
-                        user = None
-                elif request.method in ("POST", "PUT", "PATCH", "DELETE"):
-                    if "write" not in permissions:
+            if user and permissions:
+                for resource, actions in permissions.items():
+                    user_actions_for_resource = user.permissions.get(resource, [])
+                    if not all([a in user_actions_for_resource for a in actions]):
                         user = None
+                        break
         else:
             # "noauth" or "token" authentication
-            if auth_config.collaborative:
+            if lab_config.collaborative:
                 if not user and auth_config.mode == "noauth":
                     user = await create_guest(user_manager, auth_config)
                     await cookie_authentication.login(get_jwt_strategy(), user, response)
@@ -188,28 +189,60 @@ async def _(
     return _
 
 
-def websocket_for_current_user(resource: str):
+def websocket_auth(permissions: Optional[Dict[str, List[str]]] = None):
+    """
+    A function returning a dependency for the WebSocket connection.
+
+    :param permissions: the permissions the user should be granted access to. The user should have
+    access to at least one of them for the WebSocket to be opened.
+    :returns: a dependency for the WebSocket connection. The dependency returns a tuple consisting
+    of the websocket and the checked user permissions if the websocket is accepted, None otherwise.
+    """
+
     async def _(
         websocket: WebSocket,
         auth_config=Depends(get_auth_config),
         user_manager: UserManager = Depends(get_user_manager),
-    ) -> Optional[WebSocket]:
+    ) -> Optional[Tuple[WebSocket, Optional[Dict[str, List[str]]]]]:
         accept_websocket = False
+        checked_permissions: Optional[Dict[str, List[str]]] = None
         if auth_config.mode == "noauth":
             accept_websocket = True
         elif "fastapiusersauth" in websocket._cookies:
             token = websocket._cookies["fastapiusersauth"]
             user = await get_jwt_strategy().read_token(token, user_manager)
             if user:
                 if auth_config.mode == "user":
-                    if "execute" in user.permissions.get(resource, []):
+                    # "user" authentication: check authorization
+                    if permissions is None:
                         accept_websocket = True
+                    else:
+                        checked_permissions = {}
+                        for resource, actions in permissions.items():
+                            user_actions_for_resource = user.permissions.get(resource)
+                            if user_actions_for_resource is None:
+                                continue
+                            allowed = checked_permissions[resource] = []
+                            for action in actions:
+                                if action in user_actions_for_resource:
+                                    allowed.append(action)
+                                    accept_websocket = True
                 else:
                     accept_websocket = True
         if accept_websocket:
-            return websocket
+            return websocket, checked_permissions
         else:
             await websocket.close(code=status.WS_1008_POLICY_VIOLATION)
             return None
 
     return _
+
+
+async def update_user(
+    user: UserRead = Depends(current_user()), user_db: SQLAlchemyUserDatabase = Depends(get_user_db)
+):
+    async def _(data: Dict[str, Any]) -> UserRead:
+        await user_db.update(user, data)
+        return user
+
+    return _
@@ -13,7 +13,6 @@ class AuthConfig(PluginModel, BaseSettings):
     # mode: Literal["noauth", "token", "user"] = "token"
     mode: str = "token"
     token: str = str(uuid4())
-    collaborative: bool = False
     global_email: str = "guest@jupyter.com"
     cookie_secure: bool = False  # FIXME: should default to True, and set to False for tests
     clear_users: bool = False
 
@@ -105,7 +105,7 @@ async def startup():
 
 
 @router.get("/auth/users")
-async def get_users(user: UserRead = Depends(current_user("admin"))):
+async def get_users(user: UserRead = Depends(current_user(permissions={"admin": ["read"]}))):
     async with async_session_maker() as session:
         statement = select(User)
         users = (await session.execute(statement)).unique().all()
@@ -144,7 +144,7 @@ async def get_api_me(
 
 
 @users_router.get("/me")
-async def get_me(user: UserRead = Depends(current_user("admin"))):
+async def get_me(user: UserRead = Depends(current_user(permissions={"admin": ["read"]}))):
     return user
 
 
@@ -155,7 +155,7 @@ async def get_me(user: UserRead = Depends(current_user("admin"))):
 r_register = register_router(
     fapi_users.get_register_router(UserRead, UserCreate),
     prefix="/auth",
-    dependencies=[Depends(current_user("admin"))],
+    dependencies=[Depends(current_user(permissions={"admin": ["write"]}))],
 )
 r_user = register_router(users_router, prefix="/auth/user")
 
 
@@ -21,6 +21,7 @@ python_requires = >=3.7
 
 install_requires =
   fps >=0.0.8
+  fps-lab
   aiosqlite
   fastapi-users[sqlalchemy,oauth] >=10.1.4,<11
 
@@ -29,3 +30,8 @@ fps_router =
     fps-auth = fps_auth.routes
 fps_config =
     fps-auth = fps_auth.config
+jupyverse_auth =
+    User = fps_auth.models:UserRead
+    current_user = fps_auth.backends:current_user
+    update_user = fps_auth.backends:update_user
+    websocket_auth = fps_auth.backends:websocket_auth
@@ -0,0 +1 @@
+__version__ = "0.0.35"
@@ -0,0 +1,92 @@
+from typing import Any, Dict, List, Optional, Tuple
+
+from fastapi import Depends, HTTPException, Request, Response, WebSocket, status
+from fastapi.security import APIKeyCookie
+from fief_client import FiefAccessTokenInfo, FiefAsync, FiefUserInfo
+from fief_client.integrations.fastapi import FiefAuth
+
+from .config import get_auth_fief_config
+from .models import UserRead
+
+
+class CustomFiefAuth(FiefAuth):
+    client: FiefAsync
+
+    async def get_unauthorized_response(self, request: Request, response: Response):
+        redirect_uri = request.url_for("auth_callback")
+        auth_url = await self.client.auth_url(redirect_uri, scope=["openid"])
+        raise HTTPException(
+            status_code=status.HTTP_307_TEMPORARY_REDIRECT,
+            headers={"Location": auth_url},
+        )
+
+
+auth_fief_config = get_auth_fief_config()
+
+fief = FiefAsync(
+    auth_fief_config.base_url,
+    auth_fief_config.client_id,
+    auth_fief_config.client_secret.get_secret_value(),
+)
+
+SESSION_COOKIE_NAME = "fps_auth_fief_user_session"
+scheme = APIKeyCookie(name=SESSION_COOKIE_NAME, auto_error=False)
+auth = CustomFiefAuth(fief, scheme)
+
+
+async def update_user(
+    user: FiefUserInfo = Depends(auth.current_user()),
+    access_token_info: FiefAccessTokenInfo = Depends(auth.authenticated()),
+):
+    async def _(data: Dict[str, Any]) -> FiefUserInfo:
+        user = await fief.update_profile(access_token_info["access_token"], {"fields": data})
+        return user
+
+    return _
+
+
+def websocket_auth(permissions: Optional[Dict[str, List[str]]] = None):
+    async def _(
+        websocket: WebSocket,
+    ) -> Optional[Tuple[WebSocket, Optional[Dict[str, List[str]]]]]:
+        accept_websocket = False
+        checked_permissions: Optional[Dict[str, List[str]]] = None
+        if SESSION_COOKIE_NAME in websocket._cookies:
+            access_token = websocket._cookies[SESSION_COOKIE_NAME]
+            if permissions is None:
+                accept_websocket = True
+            else:
+                checked_permissions = {}
+                for resource, actions in permissions.items():
+                    allowed = checked_permissions[resource] = []
+                    for action in actions:
+                        try:
+                            await fief.validate_access_token(
+                                access_token, required_permissions=[f"{resource}:{action}"]
+                            )
+                        except BaseException:
+                            pass
+                        else:
+                            allowed.append(action)
+                            accept_websocket = True
+        if accept_websocket:
+            return websocket, checked_permissions
+        else:
+            await websocket.close(code=status.WS_1008_POLICY_VIOLATION)
+            return None
+
+    return _
+
+
+def current_user(permissions=None):
+    if permissions is not None:
+        permissions = [
+            f"{resource}:{action}"
+            for resource, actions in permissions.items()
+            for action in actions
+        ]
+
+    async def _(user: FiefUserInfo = Depends(auth.current_user(permissions=permissions))):
+        return UserRead(**user["fields"])
+
+    return _
@@ -0,0 +1,23 @@
+from fps.config import PluginModel, get_config
+from fps.hooks import register_config
+from pydantic import BaseSettings, SecretStr
+
+
+class AuthFiefConfig(PluginModel, BaseSettings):
+    base_url: str  # Base URL of Fief tenant
+    client_id: str  # ID of Fief client
+    client_secret: SecretStr  # Secret of Fief client
+
+    class Config(PluginModel.Config):
+        env_prefix = "fps_auth_fief_"
+        # config can be set with environment variables, e.g.:
+        # export FPS_AUTH_FIEF_BASE_URL=https://jupyverse.fief.dev
+        # export FPS_AUTH_FIEF_CLIENT_ID=my_client_id
+        # export FPS_AUTH_FIEF_CLIENT_SECRET=my_client_secret
+
+
+def get_auth_fief_config():
+    return get_config(AuthFiefConfig)
+
+
+c = register_config(AuthFiefConfig)