decorator to add per handler annotations

[gjcarneiro]

Long story short

With my custom authentication, trying to have an authentication middleware that requires login by default, except for the handlers specifically annotated with a decorator.

def login_exempt(func: F) -> F:
    func.weblogin_login_exempt = True  # type: ignore
    return func

@web.middleware
async def auth_middleware(
    request: web.Request,
    handler: Callable[[web.Request], Awaitable[web.StreamResponse]],
) -> web.StreamResponse:
    print(handler, hasattr(handler, "weblogin_login_exempt"))
    if not hasattr(handler, "weblogin_login_exempt"):
        session = await weblogin.fetch_session(request)
        if not session:
            raise web.HTTPNotFound(
                text=json.dumps(weblogin.SESSION_NOT_FOUND),
                content_type="application/json",
            )
    return await handler(request)


def create_web_app() -> web.Application:
    app = web.Application(
        middlewares=[weblogin.session_middleware, auth_middleware]
    )
    app.on_startup.append(async_init)
    app.on_shutdown.append(do_shutdown)
    app.router.add_route("GET", "/healthz", healthz)

    app.add_subapp("/s/weblogin", weblogin.create_web_app())
    app.add_subapp("/s/userprefs", userprefs.create_web_app())

Expected behaviour

I expect the handler to have weblogin_login_exempt when it has been decorator, causing the framework to skip the usual auth checks.

Actual behaviour

Instead, at least in the case of a subapp, the handler is a functools.partial(), which means the actual handler function is hidden away.

functools.partial(<function _fix_request_current_app.<locals>.impl at 0x7efbf9fb48c8>, handler=<function login at 0x7efbf9f7ba60>)

Only for the toplevel Application is the handler unmodified. For a subapp, handler is wrapped as a functools.partial() object.

In general, I am either missing something obvious, or there is a lack of an API in aiohttp to achieve this sort of thing. I would like to be able to annotate handlers, somehow, and for middleware to fetch the handler annotations.

Steps to reproduce

Your environment

aiohttp 3.6.1, python 37.3.

[asvetlov]

You are writing a middleware that is applicable to only a subset of application handlers.
I don't think that this is a good idea.

[gjcarneiro]

It is only "not a good idea" because it's not possible to do it atm. But I think I have a great use case.

In my use case, I want by default to require authentication for all handlers. But there needs to be exceptions. So the middleware needs to find out what are the exceptions.

I solved it for now by having a simple constant, with a list of paths that the middleware will skip authentication, such as login. But it's not ideal.

Otherwise you would have to decorate all handlers with a @login_required decorator or some such. If you forget one, you can have a serious security vulnerability in the web app.

[gjcarneiro]

I've been looking at how Django handles this, and I think it's an easy fix.

Consider a simple wrappers:

from functools import update_wrapper, wraps, partial


def my_decorator1(func):
    @wraps(func)
    def wrapper():
        return func()
    wrapper.xpto = "xpto"
    return wrapper


def my_decorator2(func):
    @wraps(func)
    def wrapper():
        return func()
    wrapper.zbr = "zbr"
    return wrapper

@my_decorator1
@my_decorator2
def handler(request, xxx):
    return


print(getattr(handler, "xpto"))
print(getattr(handler, "zbr"))

It prints:

xpto
zbr

That's because functools.wraps() will copy attributes over. But if you do functools.partial() it breaks the chain, and attributes are lost:

handler1 = partial(handler, xxx=2)

print(getattr(handler1, "xpto"))
print(getattr(handler1, "zbr"))

You get:

AttributeError: 'functools.partial' object has no attribute 'xpto'

It's easy to fix: just call functools.update_wrapper() after functools.partial().

handler1 = partial(handler, xxx=2)

update_wrapper(handler1, handler)
print(getattr(handler1, "xpto"))
print(getattr(handler1, "zbr"))

Now you get the expected result:

xpto
zbr

So I think we don't need a new API for tagging handlers. We merely need to be careful in aiohttp: whenever using functools.partial() on a handler, call functools.update_wrapper() after.

[asvetlov]

You can try but I suspect the proposed fix doesn't work.

[gjcarneiro]

It works but only if the middleware is the last one. For the other middlewares, the "handler" callable is another middleware instead of the view.

Anyway, it's better than nothing, and is a trivial change to aiohttp, so I hope you don't mind merging it.

I wish there was a better way. But it will require further research. Surely frameworks like Django have to deal with this already?...

[gjcarneiro]

Actually, no, I take it back. It seems to be working with any middleware order. That's because the patch will copy attributes from the view handler into the middleware handler. functools.update_wraper() does modify the function, but anyway since we are already using functools.partial() before that, all middleware functions are aready implicitly copied for every request, so there is no risk of attributes leaking into middleware functions between one request and the next.

Been testing with my patch, and it seems to completely solve it. Any order of middlewares works (within reason, my auth middleware obviously needs the session middleware, long story).