sda.dashboard.api.cloud_auth#

SDA-Cloud: Microsoft Entra delegated sign-in for the hosted dashboard.

Enable by setting environment variables (see cloud_auth_enabled()). Uses the SDA-Cloud confidential app registration (Web redirect) — distinct from SDA-Desktop (public client) used by CLI / get_access_token_interactive.

Tokens are stored in a server-side in-memory store (_TOKEN_STORE) keyed by a random session ID. Only the session ID (a short random string) is kept in the signed session cookie, keeping cookie size well under the 4 KB browser limit.

Attributes#

`logger`
`SESSION_KEY_ID`
`SESSION_KEY_STATE`
`SESSION_KEY_ACCESS`
`SESSION_KEY_REFRESH`
`router`

Classes#

CloudGraphTokenMiddleware

Inject Graph token into context; redirect/block unauthenticated requests.

Functions#

`cloud_auth_enabled`()	Return True when all required SDA-Cloud OAuth settings are present.
`auth_login`(request)	Redirect browser to Microsoft login (authorization code flow).
`auth_callback`(request[, code, state])	OAuth redirect URI handler: exchange code and store tokens in session.
`auth_me`(request)	Return whether the session holds a valid Graph access token (for SPA gating).
`auth_logout`(request)	Clear session and server-side token, then return to home.
`install_cloud_auth`(app)	Register session + token middleware and auth routes (before CORS in app factory).

Module Contents#

sda.dashboard.api.cloud_auth.logger#

sda.dashboard.api.cloud_auth.SESSION_KEY_ID = 'sda_session_id'#

sda.dashboard.api.cloud_auth.SESSION_KEY_STATE = 'sda_oauth_state'#

sda.dashboard.api.cloud_auth.SESSION_KEY_ACCESS = 'sda_graph_access_token'#

sda.dashboard.api.cloud_auth.SESSION_KEY_REFRESH = 'sda_graph_refresh_token'#

sda.dashboard.api.cloud_auth.cloud_auth_enabled()#: Return True when all required SDA-Cloud OAuth settings are present.

sda.dashboard.api.cloud_auth.router#

async sda.dashboard.api.cloud_auth.auth_login(request)#: Redirect browser to Microsoft login (authorization code flow).

async sda.dashboard.api.cloud_auth.auth_callback(request, code='', state='')#: OAuth redirect URI handler: exchange code and store tokens in session.

async sda.dashboard.api.cloud_auth.auth_me(request)#: Return whether the session holds a valid Graph access token (for SPA gating).

async sda.dashboard.api.cloud_auth.auth_logout(request)#: Clear session and server-side token, then return to home.

class sda.dashboard.api.cloud_auth.CloudGraphTokenMiddleware(app, dispatch=None)#

Bases: starlette.middleware.base.BaseHTTPMiddleware

Inject Graph token into context; redirect/block unauthenticated requests.

async dispatch(request, call_next)#

app#

dispatch_func#

sda.dashboard.api.cloud_auth.install_cloud_auth(app)#: Register session + token middleware and auth routes (before CORS in app factory).