baseplate.lib.edge_context

The EdgeRequestContext provides an interface into both authentication and context information about the original request from a user. For edge services, it provides helpers to create the initial object and serialize the context information into the appropriate headers. Once this object is created and attached to the context, Baseplate will automatically forward the headers to downstream services so they can access the authentication and context data as well.

class baseplate.lib.edge_context.EdgeRequestContextFactory(secrets)[source]

Factory for creating EdgeRequestContext objects.

Every application should set one of these up. Edge services that talk directly with clients should use new() directly. For internal services, pass the object off to Baseplate’s framework integration (Thrift/Pyramid) for automatic use.

Parameters:secrets (baseplate.lib.secrets.SecretsStore) – A configured secrets store.
new(authentication_token=None, loid_id=None, loid_created_ms=None, session_id=None, device_id=None)[source]

Return a new EdgeRequestContext object made from scratch.

Services at the edge that communicate directly with clients should use this to pass on the information they get to downstream services. They can then use this information to check authentication, run experiments, etc.

To use this, create and attach the context early in your request flow:

auth_cookie = request.cookies["authentication"]
token = request.authentication_service.authenticate_cookie(cookie)
loid = parse_loid(request.cookies["loid"])
session = parse_session(request.cookies["session"])
device_id = request.headers["x-device-id"]

edge_context = self.edgecontext_factory.new(
    authentication_token=token,
    loid_id=loid.id,
    loid_created_ms=loid.created,
    session_id=session.id,
    device_id=device_id,
)
edge_context.attach_context(request)
Parameters:
  • authentication_token (Optional[bytes]) – A raw authentication token as returned by the authentication service.
  • loid_id (Optional[str]) – ID for the current LoID in fullname format.
  • loid_created_ms (Optional[int]) – Epoch milliseconds when the current LoID cookie was created.
  • session_id (Optional[str]) – ID for the current session cookie.
  • session_id – ID for the device where the request originated from.
Return type:

EdgeRequestContext

from_upstream(edge_header)[source]

Create and return an EdgeRequestContext from an upstream header.

This is generally used internally to Baseplate by framework integrations that automatically pick up context from inbound requests.

Parameters:edge_header (Optional[bytes]) – Raw payload of Edge-Request header from upstream service.
Return type:EdgeRequestContext
class baseplate.lib.edge_context.EdgeRequestContext(authn_token_validator, header)[source]

Contextual information about the initial request to an edge service.

Construct this using an EdgeRequestContextFactory.

attach_context(context)[source]

Attach this to the provided RequestContext.

Parameters:context (RequestContext) – request context to attach this to
Return type:None
event_fields()[source]

Return fields to be added to events.

Return type:Dict[str, Any]
user[source]

User object for the current context.

oauth_client[source]

OAuthClient object for the current context.

device[source]

Device object for the current context.

session[source]

Session object for the current context.

service[source]

Service object for the current context.

class baseplate.lib.edge_context.User[source]

Wrapper for the user values in AuthenticationToken and the LoId cookie.

authentication_token

Alias for field number 0

loid

Alias for field number 1

cookie_created_ms

Alias for field number 2

id

Return the authenticated account_id for the current User.

Raises:NoAuthenticationError if there was no authentication token, it was invalid, or the subject is not an account.
Return type:Optional[str]
is_logged_in

Return if the User has a valid, authenticated id.

Return type:bool
roles

Return the authenticated roles for the current User.

Raises:NoAuthenticationError if there was no authentication token or it was invalid
Return type:Set[str]
has_role(role)[source]

Return if the authenticated user has the specified role.

Parameters:client_types – Case-insensitive sequence role name to check.
Raises:NoAuthenticationError if there was no authentication token defined for the current context
Return type:bool
event_fields()[source]

Return fields to be added to events.

Return type:Dict[str, Any]
class baseplate.lib.edge_context.OAuthClient[source]

Wrapper for the OAuth2 client values in AuthenticationToken.

authentication_token

Alias for field number 0

id

Return the authenticated id for the current client.

Raises:NoAuthenticationError if there was no authentication token defined for the current context
Return type:Optional[str]
is_type(*client_types)[source]

Return if the authenticated client type is one of the given types.

When checking the type of the current OauthClient, you should check that the type “is” one of the allowed types rather than checking that it “is not” a disallowed type.

For example:

if oauth_client.is_type("third_party"):
    ...

not:

if not oauth_client.is_type("first_party"):
    ...
Parameters:client_types (str) – Case-insensitive sequence of client type names that you want to check.
Raises:NoAuthenticationError if there was no authentication token defined for the current context
Return type:bool
event_fields()[source]

Return fields to be added to events.

Return type:Dict[str, Any]
class baseplate.lib.edge_context.Session[source]

Wrapper for the session values in the EdgeRequestContext.

id

Alias for field number 0

class baseplate.lib.edge_context.Service[source]

Wrapper for the Service values in AuthenticationToken.

authentication_token

Alias for field number 0

name

Return the authenticated service name.

Type:name string or None if context authentication is invalid
Raises:NoAuthenticationError if there was no authentication token, it was invalid, or the subject is not a service.
Return type:str
class baseplate.lib.edge_context.AuthenticationToken[source]

Information about the authenticated user.

EdgeRequestContext provides high-level helpers for extracting data from authentication tokens. Use those instead of direct access through this class.

subject

Return the raw subject that is authenticated.

Return type:Optional[str]
exception baseplate.lib.edge_context.NoAuthenticationError[source]

Raised when trying to use an invalid or missing authentication token.