Authentication
Authentication is a critical component of most web applications, enabling you to identify users, protect resources, and provide personalized experiences. Nexios provides a flexible, robust authentication system that's easy to implement and customize for your specific needs. The Nexios authentication system is built around three core components:
Authentication Middleware: Processes incoming requests, extracts credentials, and attaches user information to the requestAuthentication Backends: Validate credentials and retrieve user informationUser Objects: Represent authenticated and unauthenticated users with consistent interfaces
🧢 Basic Authentication Setup
To get started with authentication in Nexios, you need to set up an authentication backend and add the authentication middleware:
python
from nexios import NexiosApp
from nexios.auth.middleware import AuthenticationMiddleware
from nexios.auth.backends.session import SessionAuthBackend
app = NexiosApp()
async def get_user_by_id(user_id: int):
# Load user by ID
user = await db.get_user(user_id)
auth_backend = SessionAuthBackend(authenticate_func=get_user_by_id)
# Add authentication middleware
app.add_middleware(AuthenticationMiddleware(backend=auth_backend))Once configured, the authentication system will process each request, attempt to authenticate the user, and make the user object available via request.user:
python
@app.get("/profile")
async def profile(req, res):
if req.user.is_authenticated:
return res.json({
"id": req.user.id,
"username": req.user.username,
"email": req.user.email
})
else:
return res.redirect("/login")🔗 Authentication Middleware
The AuthenticationMiddleware is responsible for processing each request, delegating to the configured backend for authentication, and attaching the resulting user object to the request:
python
from nexios.auth.middleware import AuthenticationMiddleware
from nexios.auth.backends.apikey import APIKeyBackend
# Create the authentication backend
api_key_backend = APIKeyBackend(
key_name="X-API-Key",
authenticate_func=get_user_by_api_key
)
# Add authentication middleware with the backend
app.add_middleware(AuthenticationMiddleware(backend=api_key_backend))Middleware Process Flow
- When a request arrives, the middleware calls the authentication backend's
authenticatemethod - If authentication succeeds, a user object is returned along with an authentication type
- The user is attached to
request.scope["user"]and accessible viarequest.user - An authentication type string is also attached to
request.scope["auth"] - If authentication fails, an
UnauthenticatedUserinstance is attached instead
⚙️ Authentication Backends
Nexios includes several built-in authentication backends and allows you to create custom backends for specific needs.
Built-in Authentication Backends
1. Session Authentication Backend
python
from nexios.auth.backends.session import SessionAuthBackend
session_backend = SessionAuthBackend(
user_key="user_id", # Session key for user ID
authenticate_func=get_user_by_id # Function to load user by ID
)
app.add_middleware(AuthenticationMiddleware(backend=session_backend))The session backend:
- Checks for a user ID stored in the session (typically set during login)
- Loads the full user object using the provided loader function
- Returns an authenticated user if found, or an unauthenticated user otherwise
2. JWT Authentication Backend
python
from nexios.auth.backends.jwt import JWTAuthBackend
jwt_backend = JWTAuthBackend(
secret_key="your-jwt-secret-key",
algorithm="HS256", # Optional, default is HS256
token_prefix="Bearer", # Optional, default is "Bearer"
authenticate_func=get_user_by_id, # Function to load user by ID
auth_header_name="Authorization" # Optional, default is "Authorization"
)
app.add_middleware(AuthenticationMiddleware(backend=jwt_backend))The JWT backend:
- Extracts a JWT token from the Authorization header
- Validates the token signature, expiration, etc.
- Extracts the user ID from the token claims
- Loads the full user object using the provided loader function
3. API Key Authentication Backend
python
from nexios.auth.backends.apikey import APIKeyBackend
async def get_user_by_api_key(api_key):
# Lookup user with the given API key
user = await db.find_user_by_api_key(api_key)
if user:
return UserModel(id=user.id, username=user.username, api_key=api_key)
return None
api_key_backend = APIKeyBackend(
key_name="X-API-Key", # Header containing the API key
user_loader=get_user_by_api_key # Function to load user by API key
)
app.add_middleware(AuthenticationMiddleware(backend=api_key_backend))The API key backend:
- Extracts an API key from the specified header
- Loads the full user object using the provided loader function
- Returns an authenticated user if found, or an unauthenticated user otherwise
🎨 Creating a Custom Authentication Backend
You can create custom authentication backends by implementing the AuthenticationBackend abstract base class:
python
from nexios.auth.base import AuthenticationBackend, BaseUser, UnauthenticatedUser
class CustomUser(BaseUser):
def __init__(self, id, username, is_admin=False):
self.id = id
self.username = username
self.is_admin = is_admin
@property
def is_authenticated(self):
return True
def get_display_name(self):
return self.username
class CustomAuthBackend(AuthenticationBackend):
async def authenticate(self, request, response):
# Extract credentials from the request
custom_header = request.headers.get("X-Custom-Auth")
if not custom_header:
# Return unauthenticated user if credentials not found
return UnauthenticatedUser(), "no-auth"
# Validate credentials
# ...authentication logic...
# If validation succeeds, return a user object and auth type
if valid_credentials:
user = CustomUser(id=123, username="example_user")
return user, "custom-auth"
# If validation fails, return unauthenticated user
return UnauthenticatedUser(), "no-auth"👤 User Objects and Lifecycle
User objects in Nexios implement the BaseUser interface, ensuring a consistent API regardless of the authentication backend.
The User Lifecycle
- Request Arrival: When a request reaches your application, it initially has no user information
- Authentication Process:
- The authentication middleware calls the backend's
authenticatemethod - The backend extracts credentials from the request (headers, session, etc.)
- The backend validates the credentials and retrieves or creates a user object
- The authentication middleware calls the backend's
- User Attachment: The middleware attaches the user object to the request
- Request Processing: Your handlers can access
request.userto check authentication status and user details - Response: After your handler processes the request, the response is sent back to the client
User Object Interface
All user objects (both authenticated and unauthenticated) share a common interface:
python
from nexios.auth.base import BaseUser
class CustomUser(BaseUser):
def __init__(self, id, username, email):
self.id = id
self.username = username
self.email = email
@property
def is_authenticated(self):
# Always return True for authenticated users
return True
def get_display_name(self):
# Return a human-readable name
return self.usernameThe UnauthenticatedUser class implements the same interface but returns False for is_authenticated.
🔒 Protecting Routes with Authentication
Basic Route Protection
The simplest way to protect routes is to check request.user.is_authenticated in your handlers:
python
@app.get("/admin")
async def admin_dashboard(req, res):
if not req.user.is_authenticated:
return res.redirect("/login")
# Process authenticated request
return res.html("Admin Dashboard")🔐 Using Authentication Decorators
For cleaner route protection, Nexios provides authentication decorators:
python
from nexios.auth.decorator import auth
@app.get("/dashboard")
@auth(["auth-type"]) #jwt , session or cusotom
async def dashboard(req, res):
# This route is only accessible to authenticated users
# Unauthenticated requests will be redirected to /login
return res.html("Dashboard")
@app.get("/api/data")
@auth(["auth-type"])
async def api_data(req, res):
# This route returns 401 Unauthorized for unauthenticated requests
return res.json({"data": "Protected API data"})💪 Custom Authentication Requirements
You can create custom decorators for more specific authentication needs:
python
from functools import wraps
def requires_admin(handler):
@wraps(handler)
async def wrapper(req, res, *args, **kwargs):
if not req.user.is_authenticated or not req.user.is_admin:
return res.json({"error": "Admin access required"}, status_code=403)
return await handler(req, res, *args, **kwargs)
return wrapper
@app.get("/admin/users")
@requires_admin
async def admin_users(req, res):
# Only admins can access this route
return res.json({"users": ["user1", "user2"]})🛹 Authentication Flows
🔑 Session-Based Authentication
Session-based authentication is a common approach for web applications:
python
from nexios import NexiosApp
from nexios.auth.middleware import AuthenticationMiddleware
from nexios.auth.backends.session import SessionAuthBackend
from nexios.session.middleware import SessionMiddleware
app = NexiosApp()
app.config.secret_key = "your-secure-secret-key"
# Add session middleware first
app.add_middleware(SessionMiddleware())
# Add authentication with session backend
async def get_user_by_id(user_id):
# Query the database for the user
user = await db.get_user(user_id)
if user:
return User(
id=user.id,
username=user.username,
email=user.email,
is_admin=user.is_admin
)
return None
session_backend = SessionAuthBackend(
user_key="user_id",
authenticate_func=get_user_by_id
)
app.add_middleware(AuthenticationMiddleware(backend=session_backend))
# Login route
@app.post("/login")
async def login(req, res):
data = await req.form
username = data.get("username")
password = data.get("password")
# Verify credentials
user = await db.verify_credentials(username, password)
if not user:
return res.redirect("/login?error=invalid")
# Store user ID in session
req.session["user_id"] = user.id
return res.redirect("/dashboard")
# Logout route
@app.post("/logout")
async def logout(req, res):
# Clear session
req.session.clear()
return res.redirect("/login")🔑 JWT-Based Authentication
JWT authentication is commonly used for APIs:
python
from nexios import NexiosApp
from nexios.auth.middleware import AuthenticationMiddleware
from nexios.auth.backends.jwt import JWTAuthBackend
import jwt
import time
app = NexiosApp()
jwt_secret = "your-jwt-secret-key"
# Configure JWT authentication
async def get_user_by_id(user_id):
user = await db.get_user(user_id)
if user:
return User(
id=user.id,
username=user.username,
email=user.email,
is_admin=user.is_admin
)
return None
jwt_backend = JWTAuthBackend(
secret_key=jwt_secret,
algorithm="HS256",
authenticate_func=get_user_by_id
)
app.add_middleware(AuthenticationMiddleware(backend=jwt_backend))
# Login route that returns JWT
@app.post("/api/login")
async def api_login(req, res):
data = await req.json
username = data.get("username")
password = data.get("password")
# Verify credentials
user = await db.verify_credentials(username, password)
if not user:
return res.json({"error": "Invalid credentials"}, status_code=401)
# Generate JWT token
payload = {
"sub": str(user.id),
"username": user.username,
"exp": int(time.time()) + 3600 # 1 hour expiration
}
token = jwt.encode(payload, jwt_secret, algorithm="HS256")
return res.json({
"access_token": token,
"token_type": "bearer",
"expires_in": 3600
})
# Protected API route
@app.get("/api/profile")
@auth(["jwt"])
async def api_profile(req, res):
return res.json({
"id": req.user.id,
"username": req.user.username,
"email": req.user.email
})The authentication system in Nexios is built with modern API security practices in mind. It supports a variety of authentication methods, including JSON Web Tokens (JWT), API keys, and session-based authentication. The system is designed to be fully asynchronous, ensuring that authentication processes do not block your application's performance.