Unfortunately I don’t have a good solution for you right now. We are working on this as part of the Streamlit for Teams offering which is in limited beta right now and will be rolling out in early 2020.
If you don’t need true authentication, you could just set up a passphrase using st.text_input and only show the app if the answer matches the passphrase you set. It’s not ideal, but if you are just trying to gate access that would work. A related feature request we’re tracking will also enable password text_inputs.
Thank you for using Streamlit and we apologize for the delay. We’ve been a bit overwhelmed with the amount of questions coming in since launch.
I have a very hacky but 9000% secure solution for you =)
Deploy an app to a server
Close all ports except 22 (ssh)
Launch streamlit on some port locally
Do not expose this port to the world
Use ssh tunnel to access your streamlit app
Whenever you grant access to someone just add his public ssh key to authorized_keys
(we do it all the time with notebooks and similar things)
Even if you could, it wouldn’t really be secure. The streamlit app contained within the iframe would still be open to the world and exploitable by anybody scanning for open ports.
One way to do this would be to set up the streamlit app behind a web server reverse proxy, using https (Apache2 or Nginx). Here’s a good stackoverflow conversation about how to make this work on Nginx (in the example, imagine that your streamlit app is running on port 3001). Then you would need to apply HTTPS settings to those server definitions as in the Nginx https documentation here.
Then you would load the iframe with the basic Auth params supplied in the URL through your user-authenticated web page. It’s not a perfect solution, but at least you can guarantee that the credentials will only be embedded in pages meant for logged-in users. You’ll have to trust your users not to reshare the link.
I know this seems convoluted; right now Streamlit has been optimized as an internal tool for sharing data science and ML results. We can see that people really want to use it as a web app deployment tool, and our engineering path is being influenced by that!
We tried your proposed solution with text_input, however now it is always displaying password, is there a way to hide this text input widget after ‘successfull match’ or text provided in it?
password = st.sidebar.text_input("Password:", value="")
# select our text input field and make it into a password input
js = "el = document.querySelectorAll('.sidebar-content input')[0]; el.type = 'password';"
# passing js code to the onerror handler of an img tag with no src
# triggers an error and allows automatically running our code
html = f'<img src onerror="{js}">'
# in contrast to st.write, this seems to allow passing javascript
div = Div(text=html)
st.bokeh_chart(div)
if password != os.environ["PASSWORD"]:
st.error("the password you entered is incorrect")
return
exactly, thanks. unfortunately, it seems i can’t edit my previous post anymore, but thanks for clearing that up.
The workaround isn’t needed anymore, however, as newer versions of streamlit do support a password field: st.text_input("Password:", value="", type="password")
I have this below code to do the minmal user authentication. This is based on the SessionState hack here. Is there a better approach to achieve the below functionality
from SessionState import get
session_state = get(password='')
if session_state.password != 'pwd123':
pwd_placeholder = st.sidebar.empty()
pwd = pwd_placeholder.text_input("Password:", value="", type="password")
session_state.password = pwd
if session_state.password == 'pwd123':
pwd_placeholder.empty()
main()
else:
st.error("the password you entered is incorrect")
else:
main()
I did a simple test and oauth2-proxy seems to be a interesting option!
It’s a simple oauth proxy, therefore I could protect my streamlit application behind a google-login page.
Please be aware that oauth is not a trivial flow so, consider wisely all your requirements (i.e. logout, security, etc)
You need the SessionState gist. I.e. put the file SessionState.py from here in your project.
There are are different versions of the SessionState gist out there, but it looks like this one is recent. See e.g. this thread for some additional inspiration.
Hi,
I’m trying to use this solution. But the following happens when 2 users use the app at the same time. Example:
User A inputs his password (let’s say ‘pwd_A’) through ‘pwd = st.text_input(…)’ and I save it using session_state.password = pwd.
Then another user (different device) comes and input his password (let’s say pwd_B).
What happens is that for BOTH sessions, now session_state.password is pwd_B (somehow user 2 overwrote session_state.password for user 1).
Can anybody help please?
Thanks for stopping by! We use cookies to help us understand how you interact with our website.
By clicking “Accept all”, you consent to our use of cookies. For more information, please see our privacy policy.
Cookie settings
Strictly necessary cookies
These cookies are necessary for the website to function and cannot be switched off. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms.
Performance cookies
These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us understand how visitors move around the site and which pages are most frequently visited.
Functional cookies
These cookies are used to record your choices and settings, maintain your preferences over time and recognize you when you return to our website. These cookies help us to personalize our content for you and remember your preferences.
Targeting cookies
These cookies may be deployed to our site by our advertising partners to build a profile of your interest and provide you with content that is relevant to you, including showing you relevant ads on other websites.