The hardware and bandwidth for this mirror is donated by METANET, the Webhosting and Full Service-Cloud Provider.
If you wish to report a bug, or if you are interested in having us mirror your free-software or open-source project, please feel free to contact us at mirror[@]metanet.ch.
shinyauthr
is an R package providing module functions
that can be used to add an authentication layer to your shiny apps.
::install_github("paulc91/shinyauthr") remotes
Code for example apps using various UI frameworks can be found in inst/shiny-examples. You can launch 3
example apps with the runExample
function.
# login with user1 pass1 or user2 pass2
runExample("basic")
runExample("shinydashboard")
runExample("navbarPage")
The package provides 2 module functions each with a UI and server element:
loginUI()
loginServer()
logoutUI()
logoutServer()
Note: the server modules use shiny’s new (version
>= 1.5.0) shiny::moduleServer
method as opposed to the
shiny::callModule
method used by the now deprecated
shinyauthr::login
and shinyauthr::logout
functions. These functions will remain in the package for backwards
compatibility but it is recommended you migrate to the new server
functions. This will require some adjustments to the module server
function calling method used in your app. For details on how to migrate
see the ‘Migrating from callModule to moduleServer’ section of Modularizing
Shiny app code.
Below is a minimal reproducible example of how to use the
authentication modules in a shiny app. Note that this package invisibly
calls shinyjs::useShinyjs()
internally and there is no need
for you to do so yourself (although there is no harm if you do).
library(shiny)
# dataframe that holds usernames, passwords and other user data
<- tibble::tibble(
user_base user = c("user1", "user2"),
password = c("pass1", "pass2"),
permissions = c("admin", "standard"),
name = c("User One", "User Two")
)
<- fluidPage(
ui # add logout button UI
div(class = "pull-right", shinyauthr::logoutUI(id = "logout")),
# add login panel UI function
::loginUI(id = "login"),
shinyauthr# setup table output to show user info after login
tableOutput("user_table")
)
<- function(input, output, session) {
server
# call login module supplying data frame,
# user and password cols and reactive trigger
<- shinyauthr::loginServer(
credentials id = "login",
data = user_base,
user_col = user,
pwd_col = password,
log_out = reactive(logout_init())
)
# call the logout module with reactive trigger to hide/show
<- shinyauthr::logoutServer(
logout_init id = "logout",
active = reactive(credentials()$user_auth)
)
$user_table <- renderTable({
output# use req to only render results when credentials()$user_auth is TRUE
req(credentials()$user_auth)
credentials()$info
})
}
shinyApp(ui = ui, server = server)
When the login module is called, it returns a reactive list containing 2 elements:
user_auth
info
The initial values of these variables are FALSE
and
NULL
respectively. However, given a data frame or tibble
containing user names, passwords and other user data (optional), the
login module will assign a user_auth
value of
TRUE
if the user supplies a matching user name and
password. The value of info
then becomes the row of data
associated with that user which can be used in the main app to control
content based on user permission variables etc.
The logout button will only show when user_auth
is
TRUE
. Clicking the button will reset user_auth
back to FALSE
which will hide the button and show the login
panel again.
You can set the code in your server functions to only run after a
successful login through use of the req()
function inside
all reactives, renders and observers. In the example above, using
req(credentials()$user_auth)
inside the
renderTable
function ensures the table showing the returned
user information is only rendered when user_auth
is
TRUE
.
Most authentication systems use browser cookies to avoid returning
users having to re-enter their user name and password every time they
return to the app. shinyauthr
provides a method for
cookie-based automatic login, but you must create your own functions to
save and load session info into a database with persistent
data storage.
The first required function must accept two parameters
user
and session
. The first of these is the
user name for log in. The second is a randomly generated string that
identifies the session. The app asks the user’s web browser to save this
session id as a cookie.
The second required function is called without parameters and must
return a data.frame of valid user
and session
ids. If the user’s web browser sends your app a cookie which appears in
the session
column, then the corresponding
user
is automatically logged in.
Pass these functions to the login module via
shinyauthr::loginServer(...)
as the
cookie_setter
and cookie_getter
parameters. A
minimal example, using RSQLite
as a local database to write and store user session data, is below.
library(shiny)
library(dplyr)
library(lubridate)
library(DBI)
library(RSQLite)
# connect to, or setup and connect to local SQLite db
if (file.exists("my_db_file")) {
<- dbConnect(SQLite(), "my_db_file")
db else {
} <- dbConnect(SQLite(), "my_db_file")
db dbCreateTable(db, "sessionids", c(user = "TEXT", sessionid = "TEXT", login_time = "TEXT"))
}
# a user who has not visited the app for this many days
# will be asked to login with user name and password again
<- 7 # Days until session expires
cookie_expiry
# This function must accept two parameters: user and sessionid. It will be called whenever the user
# successfully logs in with a password. This function saves to your database.
<- function(user, sessionid, conn = db) {
add_sessionid_to_db tibble(user = user, sessionid = sessionid, login_time = as.character(now())) %>%
dbWriteTable(conn, "sessionids", ., append = TRUE)
}
# This function must return a data.frame with columns user and sessionid Other columns are also okay
# and will be made available to the app after log in as columns in credentials()$user_auth
<- function(conn = db, expiry = cookie_expiry) {
get_sessionids_from_db dbReadTable(conn, "sessionids") %>%
mutate(login_time = ymd_hms(login_time)) %>%
as_tibble() %>%
filter(login_time > now() - days(expiry))
}
# dataframe that holds usernames, passwords and other user data
<- tibble::tibble(
user_base user = c("user1", "user2"),
password = c("pass1", "pass2"),
permissions = c("admin", "standard"),
name = c("User One", "User Two")
)
<- fluidPage(
ui # add logout button UI
div(class = "pull-right", shinyauthr::logoutUI(id = "logout")),
# add login panel UI function
::loginUI(id = "login", cookie_expiry = cookie_expiry),
shinyauthr# setup table output to show user info after login
tableOutput("user_table")
)
<- function(input, output, session) {
server
# call the logout module with reactive trigger to hide/show
<- shinyauthr::logoutServer(
logout_init id = "logout",
active = reactive(credentials()$user_auth)
)
# call login module supplying data frame, user and password cols
# and reactive trigger
<- shinyauthr::loginServer(
credentials id = "login",
data = user_base,
user_col = user,
pwd_col = password,
cookie_logins = TRUE,
sessionid_col = sessionid,
cookie_getter = get_sessionids_from_db,
cookie_setter = add_sessionid_to_db,
log_out = reactive(logout_init())
)
# pulls out the user information returned from login module
<- reactive({
user_data credentials()$info
})
$user_table <- renderTable({
output# use req to only render results when credentials()$user_auth is TRUE
req(credentials()$user_auth)
user_data() %>%
mutate(across(starts_with("login_time"), as.character))
})
}
shinyApp(ui = ui, server = server)
sodium
If you are hosting your user passwords on the internet, it is a good
idea to first encrypt them with a hashing algorithm. You can use the sodium package to do this.
Sodium uses a slow hashing algorithm that is specifically designed to
protect stored passwords from brute-force attacks. More on this here. You then
tell the shinyauthr::loginServer
module that your passwords
have been hashed by sodium
and shinyauthr
will
then decrypt when login is requested. Your plain text passwords must be
a character vector, not factors, when hashing for this to work as shiny
inputs are passed as character strings.
For example, a sample user base like the following can be
incorporated for use with shinyauthr
:
# create a user base then hash passwords with sodium
# then save to an rds file in app directory
library(sodium)
<- tibble::tibble(
user_base user = c("user1", "user2"),
password = purrr::map_chr(c("pass1", "pass2"), sodium::password_store),
permissions = c("admin", "standard"),
name = c("User One", "User Two")
)
saveRDS(user_base, "user_base.rds")
# in your app code, read in the user base rds file
<- readRDS("user_base.rds") user_base
# then when calling the module set sodium_hashed = TRUE
<- shinyauthr::loginServer(
credentials id = "login",
data = user_base,
user_col = user,
pwd_col = password,
sodium_hashed = TRUE,
log_out = reactive(logout_init())
)
shinyauthr
originally borrowed some code from treysp’s
shiny_password
template with the goal of making implementation simpler for end users
and allowing the login/logout UIs to fit easily into any UI framework,
including shinydashboard.
Thanks to Michael Dewar for his contribution of cookie-based authentication. Some code was borrowed from calligross’s Shiny Cookie Based Authentication Example and from an earlier PR from aqualogy.
I’m not a security professional so cannot guarantee this authentication procedure to be foolproof. It is ultimately the shiny app developer’s responsibility not to expose any sensitive content to the client without the necessary login criteria being met.
I would welcome any feedback on any potential vulnerabilities in the process. I know that apps hosted on a server without an SSL certificate could be open to interception of user names and passwords submitted by a user. As such I would not recommend the use of shinyauthr without a HTTPS connection.
For apps intended for use within commercial organisations, I would recommend one of RStudio’s commercial shiny hosting options, or shinyproxy, both of which have built in authentication options.
However, I hope that having an easy-to-implement open-source shiny authentication option like this will prove useful when alternative options are not feasible.
Paul Campbell
These binaries (installable software) and packages are in development.
They may not be fully stable and should be used with caution. We make no claims about them.