Skip to main content

Authentication

Programmatic authentication

Call get_user() inside __render__ or any registered function to require login. If the user is not authenticated, the page returns 401 and the frontend shows a login prompt automatically.

from abstra.pages import register_function, get_user

@register_function
def __render__():
    user = get_user()
    return f"""
    <div style="padding: 2rem; font-family: sans-serif;">
        <h1>Welcome, {user.email}</h1>
        <p>Your roles: {', '.join(user.roles) or 'none'}</p>
    </div>
    """
info

During local development, any email and code can be used to bypass the login prompt.

Using authentication in functions

You can also call get_user() inside regular functions to protect specific actions:

from abstra.pages import register_function, get_user

@register_function
def approve_payment(payment_id: str):
    user = get_user()
    if "finance" not in user.roles:
        raise Exception("Only finance team can approve payments")
    # ... approve logic
    return {"status": "approved", "approved_by": user.email}

@register_function
def __render__():
    return """
    <button onclick="approve('PAY-001')">Approve Payment</button>
    <script>
    async function approve(id) {
        try {
            const result = await approve_payment(id);
            alert('Approved by ' + result.approved_by);
        } catch (e) {
            alert(e.message);
        }
    }
    </script>
    """

Declarative access control

Pages support the same access control settings as Forms. Configure via the editor's Settings tab or abstra.json:

  • Public — anyone with the URL can access
  • Private — requires authentication (any logged-in user)
  • Private with roles — requires the user to have at least one of the specified roles

Declarative access control is checked before the Python script runs. If the user doesn't meet the requirements, they are redirected to the login page.

Browser-side authentication (JavaScript)

Pages render without the player navbar, so login and logout are controlled from your own HTML through the window.abstra browser API:

  • abstra.login() — sends the user to the login screen and returns them to the page after they authenticate.
  • abstra.logout() — clears the session (including OIDC sign-out) and reloads the page in a logged-out state.
  • abstra.logged() — returns true when a user is logged in (synchronous), useful to toggle UI.
from abstra.pages import register_function

@register_function
def __render__():
    return """
    <div id="auth" style="padding: 1rem; font-family: sans-serif;"></div>
    <script>
      const el = document.getElementById('auth');
      if (abstra.logged()) {
        el.innerHTML = '<button onclick="abstra.logout()">Sign out</button>';
      } else {
        el.innerHTML = '<button onclick="abstra.login()">Sign in</button>';
      }
    </script>
    """

Player layout

Forms render inside the player layout with navbar, sidebar, and branding. Pages do not — a page renders only its own HTML inside an isolated iframe, with no navbar or sidebar. Use the window.abstra API above to provide login/logout when your page needs it.