class gafaelfawr.dependencies.auth.Authenticate(*, require_session=False, require_bearer_token=False, require_scope=None, redirect_if_unauthenticated=False, allow_bootstrap_token=False, auth_type=AuthType.Bearer, ajax_forbidden=False)

Bases: object

Dependency to verify user authentication.

This is a class so that multiple authentication policies can be constructed while easily sharing the same code. It is used as a base class for AuthenticateRead and AuthenticateWrite, which provide __call__ implementations that do the work.

  • require_session (bool, default: False) – Require that the credentials come from a cookie, not an Authorization header.

  • require_bearer_token (bool, default: False) – Require the credentials come from an Authorization header of type bearer and not any other source.

  • require_scope (str | None, default: None) – If set, access will be denied if the authentication token does not have this scope.

  • redirect_if_unauthenticated (bool, default: False) – If the request is unauthenticated, redirect it to the /login route rather than returning a challenge.

  • allow_bootstrap_token (bool, default: False) – Allow use of the bootstrap token to authenticate to this route.

  • auth_type (AuthType, default: <AuthType.Bearer: 'bearer'>) – The type of the challenge if the user is not authenticated.

  • ajax_forbidden (bool, default: False) – If set to True, check to see if the request was sent via AJAX (see Notes) and, if so, convert it to a 403 error.

Methods Summary

authenticate(context[, x_csrf_token])

Authenticate the request.

Methods Documentation

async authenticate(context, x_csrf_token=None)

Authenticate the request.

Always check the user’s cookie-based session first before checking the Authorization header because some applications (JupyterHub, for instance) may use the Authorization header for their own purposes.

If the request was authenticated via a browser cookie rather than a provided Authorization header, and the method was something other than GET or OPTIONS, require and verify the CSRF header as well.

  • context (RequestContext) – The request context.

  • x_csrf_token (str | None, default: None) – The value of the X-CSRF-Token header, if provided.


The data associated with the verified token.

Return type:



fastapi.HTTPException – Raised if authentication is not provided or is not valid.