Authentication with Sessions ¶

Setup Session Middleware ¶

from stario import Stario
from stario.middleware import SessionMiddleware

app = Stario()

app.add_middleware(SessionMiddleware, 
    secret_key="your-secret-key",
    session_cookie="session_id",
    max_age=86400  # 1 day
)

from stario import Command
from stario.requests import Request

@app.command("/login")
async def login(request: Request, username: str = "", password: str = ""):
    user = db.find_user(username)

    if user and verify_password(password, user.password_hash):
        request.session["user_id"] = user.id
        request.session["username"] = user.username
        return redirect("/dashboard")

    return html('<p class="error">Invalid credentials</p>')

Protect Endpoints ¶

from stario import Query
from stario.requests import Request

@app.query("/dashboard")
async def dashboard(request: Request):
    if "user_id" not in request.session:
        return redirect("/login")

    user_id = request.session["user_id"]
    user = db.get_user(user_id)
    return html(f"<h1>Welcome {user.username}</h1>")

Logout ¶

from stario import Command
from stario.requests import Request

@app.command("/logout")
async def logout(request: Request):
    request.session.clear()
    return redirect("/")

Check Authentication ¶

from stario import Query
from stario.requests import Request

async def require_auth(request: Request):
    if "user_id" not in request.session:
        raise UnauthorizedError("Not authenticated")
    return request.session["user_id"]

@app.query("/profile")
async def profile(user_id: int = require_auth(request)):
    user = db.get_user(user_id)
    return html(f"<p>{user.email}</p>")

Session Data ¶

from stario import Command
from stario.requests import Request

@app.command("/set-preference")
async def set_preference(request: Request, theme: str):
    request.session["theme"] = theme
    request.session.save()  # Persist to store
    return {"status": "ok"}

Secure Cookies ¶

from stario.middleware import SessionMiddleware

app.add_middleware(SessionMiddleware,
    secret_key="secure-random-key",
    session_cookie="session_id",
    max_age=3600,
    secure=True,      # Only HTTPS
    httponly=True,    # No JavaScript access
    samesite="Strict" # CSRF protection
)