Piccolo admin without auth

[chilico]

We have multiple distributed cloud services, some with their own db with a Piccolo layer. Everything is locked down with our own auth, and we would like the Piccolo admin(s) to be completely open so that we can seamlessly route between them. Ideally we would do without the BaseUser table altogether - we simply don't need it. Is this somehow possible?

[sinisaos]

@chilico I don't think you can do that now, but Piccolo Admin is protected by SessionsAuthBackend, which has the allow_unauthenticated argument. In your local Piccolo Admin installation you need to change this

piccolo_admin/piccolo_admin/endpoints.py

Lines 790 to 795 in 2308515

	backend=SessionsAuthBackend(
	auth_table=auth_table,
	session_table=session_table,
	admin_only=True,
	increase_expiry=increase_expiry,
	),

to this

backend=SessionsAuthBackend(
    allow_unauthenticated=True,
),

After these changes you can access Piccolo Admin without providing a user. This can be configured via create_admin, but we should wait for @dantownsend to say what he thinks about it.

[sinisaos]

1. Just add allow_authenticated as an argument - but there are already loads of arguments.

@dantownsend This would be the easiest way. Something like this will work

class AdminRouter(FastAPI):

    def __init__(
        ...
        allow_unauthenticated: bool = False,
    ) -> None:
        ...
        self.allow_unauthenticated = allow_unauthenticated
        ...
        backend = (
            SessionsAuthBackend(
                allow_unauthenticated=True,
            )
            if self.allow_unauthenticated is True
            else SessionsAuthBackend(
                auth_table=auth_table,
                session_table=session_table,
                admin_only=True,
                increase_expiry=increase_expiry,
            )
        )

        auth_middleware = partial(
            AuthenticationMiddleware,
            backend=backend,
            on_error=handle_auth_exception,
        )

def create_admin(
    ...
    allow_unauthenticated: bool = False,
):
    
    return AdminRouter(
        ...
        allow_unauthenticated=allow_unauthenticated,
    )

Usage would be

create_admin(
    tables=[...],
    allow_unauthenticated=True,
)

I wonder whether using allow_unauthenticated=True still requires the user to create the SessionsBase and BaseUser tables in the database?

No, everything works without providing those tables if allow_unauthenticated=True, because in that case we don't use those tables.

[chilico]

Thank you for your responses. I had a go at implementing your suggestions by subclassing the AdminRouter to accept allow_unauthenticated (together with all the other params), then writing a custom create_admin to use it. Whilst I was able to get a stable admin panel, I'm still hit with a login form.

[Skelmis]

It's fairly okay to patch in, I can't remember exactly if my start on #129 entirely removes the admin panel but the stuff in this commit can be used to make the admin panel function without authentication, albiet a tad scuffed.

Once I'm back from holiday I'll take the learnings from this to make it use the create admin parameters but yea, that's about what I found was needed

[sinisaos]

@chilico I don't know for subclassing AdminRouter, but you have two options until it is decided how to allow the user to disable auth.

1. The easiest way is to patch the local Piccolo Admin installation with the code provided in the previous comment.
2. Another way is to add a custom endpoint file (with the code provided in the previous comment) to your project (you also need to add a dist file for the admin frontend). After that you can use create_admin from that custom endpoint file. In my case both ways work.

admin.webm

Here is an example of how to add custom endpoints to an existing project to access Piccolo Admin without auth.
Hope that helps.

[chilico]

Ah, thank you @sinisaos. Your second option is a good enough work around for our current needs. But we'll look forward to seeing unauthed access in an upcoming release.