dict() -> new empty dictionary


Defines a model for authentication methods like login/logout.

Module Contents

class user.auth.core.SignupToken[source]

Bases: typing_extensions.TypedDict

dict() -> new empty dictionary dict(mapping) -> new dictionary initialized from a mapping object’s

(key, value) pairs

dict(iterable) -> new dictionary initialized as if via:

d = {} for k, v in iterable:

d[k] = v

dict(**kwargs) -> new dictionary initialized with the name=value pairs

in the keyword argument list. For example: dict(one=1, two=2)

role: str[source]
max_uses: int[source]
expires: int[source]
class user.auth.core.Auth(app: onegov.user.UserApp, to: str | None = '/', skip: bool = False, signup_token: str | None = None, signup_token_secret: str | None = None)[source]

Defines a model for authentication methods like login/logout. Applications should use this model to implement authentication views.

classmethod from_request(request: onegov.core.request.CoreRequest, to: str | None = '/', skip: bool = False, signup_token: str | None = None) typing_extensions.Self[source]
classmethod from_request_path(request: onegov.core.request.CoreRequest, skip: bool = False, signup_token: str | None = None) typing_extensions.Self[source]
property users: onegov.user.collections.UserCollection[source]
redirect(request: onegov.core.request.CoreRequest, path: str) webob.Response[source]
skippable(request: onegov.core.request.CoreRequest) bool[source]

Returns true if the login for the current to target is optional (i.e. it is not required to access the page).

This should only be used on protected pages as public pages would always be skipppable. Therefore it has to be enabled manually by specifying skip=True on the Auth class.

is_valid_second_factor(user: onegov.user.User, second_factor_value: str | None) bool[source]

Returns true if the second factor of the given user is valid.

authenticate(request: onegov.core.request.CoreRequest, username: str, password: str, client: str = 'unknown', second_factor: str | None = None, skip_providers: bool = False) User | None[source]

Takes the given username and password and matches them against the users collection. This does not login the user, use login_to() to accomplish that.

  • username – The username to authenticate.

  • password – The password of the user (clear-text).

  • client – The client address of the user (i.e. his IP address).

  • second_factor – The value of the second factor or None.

  • skip_providers – In special cases where e.g. an LDAP-Provider is a source of users but can’t offer the password for authentication, you can login using the application database.


The matched user, if successful, or None.

as_identity(user: onegov.user.User) morepath.authentication.Identity[source]

Returns the morepath identity of the given user.

by_identity(identity: Identity | NoIdentity) User | None[source]

Returns the user record of the given identity.

login_to(username: str, password: str, request: onegov.core.request.CoreRequest, second_factor: str | None = None, skip_providers: bool = False) Response | None[source]

Takes a user login request and remembers the user if the authentication completes successfully.

  • username – The username to log in.

  • password – The password to log in (cleartext).

  • request – The request of the user.

  • second_factor – The second factor, if any.


Pass option skip_providers to skip any configured auth providers.


A redirect response to with the identity

remembered as a cookie. If not successful, None is returned.

complete_login(user: onegov.user.User, request: onegov.core.request.CoreRequest) webob.Response[source]

Takes a user record, remembers its session and returns a proper redirect response to complete the login.

This method is mostly useful inside onegov.user. You probably want to use complete_login() outside of that.

logout_to(request: onegov.core.request.CoreRequest, to: str | None = None) webob.Response[source]

Logs the current user out and redirects to to or


A response redirecting to with the identity


new_signup_token(role: str, max_age: int = 24 * 60 * 60, max_uses: int = 1) str[source]

Returns a signup token which can be used for users to register themselves, directly gaining the given role.

Signup tokens are recorded on the user to make sure that only the requested amount of uses is allowed.

property signup_token_serializer: itsdangerous.URLSafeSerializer[source]
decode_signup_token(token: str) SignupToken | None[source]
property permitted_role_for_registration: str | None[source]

Returns the permitted role for the current signup token.

register(form: onegov.user.forms.RegistrationForm, request: onegov.core.request.CoreRequest) onegov.user.User[source]

Registers the user using the information on the registration form.

Takes the signup token into account to provide the user with the proper role.

See onegov.user.collections.UserCollection.register_user() for more information.