# Auth ## Why Use Plash Auth? Setting up Google OAuth authentication traditionally requires: - Google Cloud Console project setup and OAuth consent screen configuration - Secure credential management and rotation in production - Managing redirect URLs across development, staging, and production environments - Complex local testing workarounds (OAuth typically breaks without HTTPS and registered domains) **Plash Auth eliminates this complexity** by providing a simple wrapper around the OAuth flow. We handle all the Google Cloud setup, credential management, and redirect configuration for you. ## Tutorial ### 0. Setup This tutorial will show you how to add Google OAuth authentication to your FastHTML apps deployed on Plash. With Plash’s built-in auth system, you can easily implement secure sign-in functionality without managing OAuth secrets or redirect URLs yourself. **Prerequisites:** - A registered account at - Completed the [basic tutorial](../index.qmd) for deploying your first app In this tutorial we’ll focus on FastHTML. But any Plash app can technically make use of Plash Auth. ### 1. Create Your Auth App First create a new directory for our auth example. ``` bash cd auth-example-app ``` ### 2. Create your app Create a `main.py` file for your app and paste in the minimum working example from below: ``` python from fasthtml.common import * from plash_cli.auth import * app, rt = fast_app() @rt def index(session): if uid:=session.get('uid'): return (H1(f"Welcome! You are logged in as user: {uid}"), A("Logout", href="/logout")) else: return ( H1("Welcome! Please sign."), A("Sign in with Google", href=mk_signin_url(session))) @rt(signin_completed_rt) def signin_completed(session, signin_reply: str): try: uid = goog_id_from_signin_reply(session, signin_reply) session['uid'] = uid return RedirectResponse('/', status_code=303) except PlashAuthError as e: return Div( H2("Login Failed"), P(f"There was an error signing you in: {e}"), A("Try Again", href="/") ) @rt('/logout') def logout(session): session.pop('uid') return RedirectResponse('/', status_code=303) serve() ``` Line 8 Verify if user is logged in Line 14 Generate Auth login URL Line 16 Receive Auth callback Line 19 Extract user ID from succesful Auth response Line 22 Handle Auth authentication errors Line 31 Clear user session to log out ### 3. Add requirements Create your `requirements.txt` file with the necessary packages. Now you’ll need to add the `plash-cli` package also to your app. ``` python python-fasthtml plash-cli ``` ### 4. Deploy Your Auth App With those two files created. Now we are ready to deploy. ``` bash plash_deploy ``` ### 5. Try it out! Visit your deployed app: ``` bash plash_view ``` Test the authentication flow: 1. **Sign in** → redirects to Google OAuth 2. **Grant permission** → returns to your app with user ID 3. **Session management** → handled by FastHTML sessions 4. **Logout** → clears session ## Next steps ### Local use Plash Auth only works when deployed on Plash. When you run locally with `python main.py`, you’ll get a test user with ID `424242424242424242424` for development. If you need realistic authentication testing, deploy a development version (e.g. `dev-my-app.pla.sh`) since Plash deployments are fast and low-cost. ### Restricting access With the tutorial example above, anyone can login to your app. If you want to restrict access to your app, you can provide email or domain filters to the [`mk_signin_url`](https://AnswerDotAI.github.io/plash_cli/auth.html#mk_signin_url) function using the `email_re` parameter (to match specific email addresses) or `hd_re` parameter (to match Google hosted domains like your organization’s domain). ### User data access Plash Auth only provides the user’s unique Google ID. If you need additional user information (name, email) or Google service access (Drive, Gmail), you’ll need to implement full OAuth yourself using [FastHTML’s OAuth documentation](https://www.fastht.ml/docs/explains/oauth.html). **For most applications that just need secure user authentication, Plash Auth is the simplest solution.**