Domain-restricted 'silent' login?

ojmills · August 25, 2025, 9:17am

When someone follows an external link to my Anvil App I would like to be able to let them in and if I could identify them in some way issue them with a timed session token based on the domain they came from.

I’m specially looking do this because I have another website with forum for which users are already logged in. On this I’ve not got access to the user data and can’t move off the platform. But I want logged users to be able click a link, then access and use tools I’ve made with Anvil without any further login process, whilst preventing someone copying the link and using it from anywhere that’s not my subscriber site or an approved domain

It doesn’t seem like this is possible client-side in anvil as the http headers aren’t available. Whilst I could make the external link point to an HTTP endpoint, there doesn’t seem to be an easy way to direct users to either a ‘no access’ page or the app from the endpoint.

I’m not after high security (obviously), I just want to make it fairly difficult for anyone trying to access the app from outside domains I’ve allowed and avoid users having to sign up for a second system.

Is there any way I could achieve this with python/Anvil?

Thanks!

-Oliver

duncan_richards12 · August 25, 2025, 10:16am

Do you have any control over the User system on the non-anvil side? Maybe you could send some kind of user token to Anvil?

jshaffstall · August 25, 2025, 1:31pm

Welcome to the forum!

From an HTTP endpoint you can return a 302 response to cause the browser to redirect to a new URL:

return anvil.server.HttpResponse(302, "", {'Location': f'{url}{query}'})

This assumes your Anvil app is set up to allow routes of some sort to go to a different form based on the URL.

stefano.menci · August 25, 2025, 2:39pm

As far as I know, a server-callable function has no way to determine the client’s IP address. However, you can obtain it when the client makes an HTTP request.

One approach is to have the client call an HTTP endpoint, for example register_my_ip. The server checks the IP address, and if it doesn’t match one of the expected ones, it returns a failure. If the IP address is valid, the endpoint generates a unique ID, then inserts or updates a row in a table containing the client’s IP, the unique ID, and a timestamp. Finally, the endpoint returns the unique ID to the client.

From then on, the client includes this unique ID whenever it calls server-callable functions. The server functions can look up the ID in the table and determine who the caller is.

ojmills · August 26, 2025, 8:07am

Unfortunately not, so I’ve got to try to work around it.