Ensuring a single login per user

Anvil Q&A
1

Hello Friends:

I was going to do something like the following (which is crude just to show the example here) to ensure a single-login per user.

# ====================================================
# If not None, user is already logged in. Again, crude.
# ====================================================
if anvil.users.get_user():
      alert(..., dismissable=False)      # Alert user that he's already logged in elsewhere.
      open_form('Forms.LandingPageForm') # Send back to landing page.
      anvil.users.logout()               # This step may not be a good idea b/c may log user out everywhere.

BTW: Iā€™ve decided to use Magic eMail Link method.

But then I began wondering if the items available via anvil.users (shown in the following screenshot) might be helpful for this, and perhaps be more rigorous / bulletproof (for instance, methods of the UserExists object). Unfortunately, I donā€™t know where to find the API for the attributes shown:

Screenshot from 2022-07-19 13-03-02
Screenshot from 2022-07-19 13-03-021714Ɨ926 108 KB

  1. Can someone point me to the API docs for these?
  2. How do you personally ensure a single-login session per user? Is it conceptually as simple as Iā€™ve shown?

As always, thank you!

EDIT: Actually the above snippet is faulty b/c we canā€™t tell if the return from anvil.users.get_user() represents the first login or the Nth. But I think the community understands my need. :blush:

2

I would use user context information, store it in the users table during login, and periodically check (when using many/any server call) to make sure that context matches. If it does not, automatically log out the user.

When a user logs in successfully it should overwrite any previous context info, kicking off the ā€˜oldā€™ user. I doubt this would stop multiple people from the same office using the same browser from using the same login though.

Many other solutions can leave users ā€˜logged inā€™ to sessions they already closed out of, making it impossible for them to get back in.

Similar to code found in these threads:

3

I guess this scenario is fine.

This looks quite good. A couple of follow-ups on this:

  1. Are you storing the anvil.server.context.client.location object itself or either a stringified or key/value representation of it? If object form, the check could be if object1 is not object2: logout(...). Or, if a stringified or key/value representation of it is stored instead, compare the attribute values one-by-one and execute logout(...) if they donā€™t line up.

  2. As for when to periodically check, your suggestion is that natural check-points are just prior to anvil.server.call(...) invocations, and execute logout(ā€¦) if the two objects, or strings, or k/v pairs no longer match. Yes?

  3. Finally, thereā€™s no need to ā€œmanageā€ the context information stored in the users table, because weā€™re simply allowing the latest successful login overwrite it. All we do is step 2 (periodically compare). Yes?

Thank you.

4

I just checked myself and yes, I did have to turn it into a string, since whatever object anvil uses is not serializable into a simple object for use in a simple object column. So you could use a text column instead.

  user_row = app_tables.users.get_by_id(anvil.users.get_user().get_id())
  user_row['context'] = str(anvil.server.context.client)

I have not built it out, but if I were to, I would have a function take the context object ā€œstringā€ and md5 hash it so I didnā€™t unnecessarily store user info I did not need and put it in a text column in the users table. This function would run in a server call alongside a successful anvil.users.login_with_form().

I would then create a server module security function that would compare the current context object hashed string, with whatever was in the table, and if it did not match, run anvil.users.logout().

I might even create an @decorator for this purpose.

from functools import wraps

def with_user_security(func):
  
  @wraps(func)
  def wrapper_func(*args, **kwargs):
    if not your_context_compare_function_here():
        anvil.users.logout()
        #return #  ?? how you want to handle security is up to you
    func(*args, **kwargs)
  return wrapper_func

then later:

@anvil.server.callable
@with_user_security
def any_callable_nmvega_function():
    ...

So yes,

It should handle itself, if you have most of the important bits of whatever you are doing protected inside the server modules. (Otherwise you really donā€™t need/have any security anyway)

3 Likes
5

@ianb I understand your solution and like it. @jshaffstall in a PM liked it, too. (I ratted :rat: him out. LoL). But canā€™t tell you how much I appreciate you guys and the community.

Thank you very much!