mtanco/app.py

## app.py

from h2o_wave import main, app, Q, ui
import jwt


@app('/')
async def serve(q: Q):

    if not q.app.initialized:
        q.app.authorization_role = "my_important_group"
        q.app.initialized = True

    if not q.client.initialized:
        initialize_new_browser_tab(q)

    await q.page.save()


def initialize_new_browser_tab(q: Q):
    # Check if the user is allowed to use this app based on their role
    # Requirement: app.toml has `EnableOIDC = true`
    user_details = jwt.decode(q.auth.access_token, options={"verify_signature": False})
    print(user_details)

    # This assumes the groups are in parameter called "groups" which is the default value
    # As needed, print the user_details variable in your development environment (with an example token) to
    # update this to the appropriate key item
    if q.app.authorization_role not in user_details["groups"]:
        q.page["access_denied"] = ui.form_card(
            box="1 1 -1 -1",
            items=[
                ui.text_xl("Access Denied!"),
                ui.text(f"{user_details['preferred_username']} does not have access to use this app."),
                ui.text("To request access... (this is just a demo)")
            ]
        )
        return

    q.page["home"] = ui.form_card(
        box="1 1 -1 -1",
        items=[
            ui.text_xl("You have access to this app!"),
            ui.text("Here is some super cool functionalities!")
        ]
    )

    # Only authorized users will ever be initialized and make it past this function
    q.client.initialized = True

## app.toml
# Configuration file for running this app in an AI App Store
[App]
Name = "h2o.app.demo.role_based_access"
Version = "0.0.1"
Title = "Limited Roles Example"
Description = "All users can view / run / access this app but only some can actually use the functionality."

[Runtime]
Module = "app"
EnableOIDC = true # Required - ensures our app can know what roles this user is in

## requirements.txt
h2o-wave==0.22.0
pyjwt==2.4.0

	from h2o_wave import main, app, Q, ui
	import jwt


	@app('/')
	async def serve(q: Q):

	if not q.app.initialized:
	q.app.authorization_role = "my_important_group"
	q.app.initialized = True

	if not q.client.initialized:
	initialize_new_browser_tab(q)

	await q.page.save()


	def initialize_new_browser_tab(q: Q):
	# Check if the user is allowed to use this app based on their role
	# Requirement: app.toml has `EnableOIDC = true`
	user_details = jwt.decode(q.auth.access_token, options={"verify_signature": False})
	print(user_details)

	# This assumes the groups are in parameter called "groups" which is the default value
	# As needed, print the user_details variable in your development environment (with an example token) to
	# update this to the appropriate key item
	if q.app.authorization_role not in user_details["groups"]:
	q.page["access_denied"] = ui.form_card(
	box="1 1 -1 -1",
	items=[
	ui.text_xl("Access Denied!"),
	ui.text(f"{user_details['preferred_username']} does not have access to use this app."),
	ui.text("To request access... (this is just a demo)")
	]
	)
	return

	q.page["home"] = ui.form_card(
	box="1 1 -1 -1",
	items=[
	ui.text_xl("You have access to this app!"),
	ui.text("Here is some super cool functionalities!")
	]
	)

	# Only authorized users will ever be initialized and make it past this function
	q.client.initialized = True
	# Configuration file for running this app in an AI App Store
	[App]
	Name = "h2o.app.demo.role_based_access"
	Version = "0.0.1"
	Title = "Limited Roles Example"
	Description = "All users can view / run / access this app but only some can actually use the functionality."

	[Runtime]
	Module = "app"
	EnableOIDC = true # Required - ensures our app can know what roles this user is in