Added authentication

Author: slinjhu

landing/public/content/docs/authentication.md

@@ -1,3 +1,143 @@
 # Authentication
 
-This page is under construction.
+SmooSense supports optional authentication using Auth0. When configured, all pages require users to log in before accessing the application.
+
+## Overview
+
+Authentication is **optional** by default. If no Auth0 credentials are configured, SmooSense runs without authentication and all pages are publicly accessible. This is suitable for local development or private deployments.
+
+When Auth0 is configured, users must authenticate before accessing any page. Unauthenticated users are redirected to Auth0's login page.
+
+## Setting Up Auth0
+
+### 1. Create an Auth0 Application
+
+1. Go to [Auth0 Dashboard](https://manage.auth0.com/)
+2. Navigate to **Applications > Applications**
+3. Click **Create Application**
+4. Choose **Regular Web Application**
+5. Note your **Domain**, **Client ID**, and **Client Secret**
+
+### 2. Configure Callback URLs
+
+In your Auth0 application settings, configure:
+
+- **Allowed Callback URLs**: `http://localhost:8000/auth/callback`
+- **Allowed Logout URLs**: `http://localhost:8000`
+
+For production, replace `localhost:8000` with your actual domain.
+
+### 3. Set Environment Variables
+
+Set the following environment variables before starting SmooSense:
+
+```bash
+export AUTH0_DOMAIN="your-tenant.auth0.com"
+export AUTH0_CLIENT_ID="your-client-id"
+export AUTH0_CLIENT_SECRET="your-client-secret"
+export APP_SECRET_KEY="your-random-secret-key"  # Optional, auto-generated if not set
+```
+
+You can also create a `.env` file in your project directory with these values.
+
+### 4. Start SmooSense
+
+```bash
+sense
+```
+
+When Auth0 is properly configured, you'll see a log message:
+```
+Auth0 authentication enabled
+```
+
+## Authentication Flow
+
+1. User visits any protected page (e.g., `/`, `/FolderBrowser`, `/Table`)
+2. If not authenticated, user is redirected to `/auth/login`
+3. Auth0 handles the login (username/password, SSO, etc.)
+4. After successful login, user is redirected back to the application
+5. User session is stored and maintained until logout
+
+## API Endpoints
+
+SmooSense provides the following authentication endpoints:
+
+| Endpoint | Description |
+|----------|-------------|
+| `/auth/login` | Initiates Auth0 login flow |
+| `/auth/logout` | Clears session and logs out from Auth0 |
+| `/auth/callback` | Handles OAuth callback from Auth0 |
+| `/auth/me` | Returns current user info as JSON |
+
+### Check Authentication Status
+
+```bash
+curl http://localhost:8000/auth/me
+```
+
+Returns:
+```json
+{
+  "authenticated": true,
+  "email": "[email protected]",
+  "name": "John Doe",
+  "picture": "https://..."
+}
+```
+
+Or if not authenticated:
+```json
+{
+  "authenticated": false
+}
+```
+
+## Restricting Access by Email Domain
+
+You can restrict access to users from specific email domains using Auth0 Actions. In your Auth0 Dashboard:
+
+1. Go to **Actions > Flows > Login**
+2. Create a new Action with this code:
+
+```javascript
+exports.onExecutePostLogin = async (event, api) => {
+  if (!event.user.email) {
+    api.access.deny('access_denied', 'Email required');
+    return;
+  }
+
+  const allowList = ['mycorp.com', 'partner.com']; // Your allowed domains
+
+  const parts = event.user.email.split('@');
+  const domain = parts[parts.length - 1].toLowerCase();
+
+  if (!allowList.includes(domain)) {
+    api.access.deny(
+      'access_denied',
+      'Only specific email domains are allowed to access this app.'
+    );
+  }
+};
+```
+
+3. Deploy the Action and add it to your Login flow
+
+## Troubleshooting
+
+### "Auth0 not configured, running without authentication"
+
+This message appears when environment variables are not set. Verify:
+- `AUTH0_DOMAIN` is set
+- `AUTH0_CLIENT_ID` is set
+- `AUTH0_CLIENT_SECRET` is set
+
+### Callback URL Mismatch
+
+Ensure your Auth0 application's "Allowed Callback URLs" exactly matches `http://your-host:port/auth/callback`.
+
+### Session Not Persisting
+
+If sessions aren't persisting across requests, ensure:
+1. `APP_SECRET_KEY` is set consistently (not auto-generated each restart)
+2. Cookies are enabled in the browser

smoosense-gui/src/components/settings/GlobalSettings.tsx

@@ -9,12 +9,17 @@ import FolderBrowserSection from './FolderBrowserSection'
 import RowDetailSection from './RowDetailSection'
 import MediaSection from './MediaSection'
 import Logo from '@/components/common/Logo'
+import { useAuth, logout } from '@/lib/hooks/useAuth'
+import { Avatar, AvatarFallback, AvatarImage } from '@/components/ui/avatar'
+import { Button } from '@/components/ui/button'
 
 interface GlobalSettingsDropdownProps {
   context?: 'Table' | 'FolderBrowser' | 'LiteTable' | 'MiniTable'
 }
 
 export default function GlobalSettingsDropdown({ context }: GlobalSettingsDropdownProps) {
+  const { authenticated, user, loading } = useAuth()
+
   const renderContextSpecificSection = () => {
     switch (context) {
       case 'Table':
@@ -47,14 +52,83 @@ export default function GlobalSettingsDropdown({ context }: GlobalSettingsDropdo
     }
   }
 
+  // Get user initials for avatar fallback
+  const getInitials = (name: string | undefined, email: string | undefined) => {
+    if (name) {
+      return name.split(' ').map(n => n[0]).join('').toUpperCase().slice(0, 2)
+    }
+    if (email) {
+      return email[0].toUpperCase()
+    }
+    return '?'
+  }
+
+  // Render icon based on auth state
+  const renderIcon = () => {
+    if (loading || !authenticated || !user) {
+      return <Settings />
+    }
+    return (
+      <Avatar className="h-6 w-6">
+        <AvatarImage
+          src={user.picture || undefined}
+          alt={user.name || user.email}
+          referrerPolicy="no-referrer"
+        />
+        <AvatarFallback className="text-xs">
+          {getInitials(user.name, user.email)}
+        </AvatarFallback>
+      </Avatar>
+    )
+  }
+
+  // Render user info section
+  const renderUserSection = () => {
+    if (!authenticated || !user) {
+      return null
+    }
+    return (
+      <>
+        <div className="flex items-center gap-3">
+          <Avatar className="h-10 w-10">
+            <AvatarImage
+              src={user.picture || undefined}
+              alt={user.name || user.email}
+              referrerPolicy="no-referrer"
+            />
+            <AvatarFallback>
+              {getInitials(user.name, user.email)}
+            </AvatarFallback>
+          </Avatar>
+          <div className="flex-1 min-w-0">
+            {user.name && (
+              <div className="text-sm font-medium truncate">{user.name}</div>
+            )}
+            <div className="text-xs text-muted-foreground truncate">{user.email}</div>
+          </div>
+        </div>
+        <Button
+          variant="outline"
+          size="sm"
+          onClick={logout}
+          className="w-full mt-2"
+        >
+          Sign out
+        </Button>
+        <Separator className="my-4" />
+      </>
+    )
+  }
+
   return (
     <IconPopover
-      icon={<Settings />}
-      tooltip="Settings"
+      icon={renderIcon()}
+      tooltip={authenticated && user ? user.email : "Settings"}
       contentClassName="w-80 p-4"
       align="end"
     >
       <div className="space-y-4">
+        {renderUserSection()}
         <CommonSettingSection />
 
         {context && (

smoosense-gui/src/lib/hooks/useAuth.ts

@@ -0,0 +1,84 @@
+import { useState, useEffect } from 'react'
+
+export interface AuthUser {
+  email: string
+  name: string
+  picture: string | null
+}
+
+export interface AuthState {
+  authenticated: boolean
+  user: AuthUser | null
+  loading: boolean
+  error: string | null
+}
+
+/**
+ * Hook to get current authentication state.
+ * Fetches user info from /auth/me endpoint.
+ */
+export function useAuth(): AuthState {
+  const [state, setState] = useState<AuthState>({
+    authenticated: false,
+    user: null,
+    loading: true,
+    error: null,
+  })
+
+  useEffect(() => {
+    async function fetchAuthState() {
+      try {
+        const response = await fetch('/auth/me')
+        if (!response.ok) {
+          throw new Error('Failed to fetch auth state')
+        }
+        const data = await response.json()
+
+        if (data.authenticated) {
+          setState({
+            authenticated: true,
+            user: {
+              email: data.email,
+              name: data.name,
+              picture: data.picture || null,
+            },
+            loading: false,
+            error: null,
+          })
+        } else {
+          setState({
+            authenticated: false,
+            user: null,
+            loading: false,
+            error: null,
+          })
+        }
+      } catch (error) {
+        setState({
+          authenticated: false,
+          user: null,
+          loading: false,
+          error: error instanceof Error ? error.message : 'Unknown error',
+        })
+      }
+    }
+
+    fetchAuthState()
+  }, [])
+
+  return state
+}
+
+/**
+ * Redirect to login page
+ */
+export function login(): void {
+  window.location.href = '/auth/login'
+}
+
+/**
+ * Redirect to logout
+ */
+export function logout(): void {
+  window.location.href = '/auth/logout'
+}

smoosense-py/intests/base_integration_test.py

@@ -114,7 +114,9 @@ def setUpClass(cls) -> None:
         cls.browser = cls.playwright.chromium.launch(headless=cls.headless)
 
         # Ensure screenshots directory exists
-        cls.screenshots_dir = Path(__file__).parent.parent.parent / "landing/public/images/screenshots"
+        cls.screenshots_dir = (
+            Path(__file__).parent.parent.parent / "landing/public/images/screenshots"
+        )
         cls.screenshots_dir.mkdir(parents=True, exist_ok=True)
 
     @classmethod

smoosense-py/pyproject.toml

@@ -24,6 +24,7 @@ classifiers = [
     "Topic :: Software Development :: Libraries :: Python Modules",
 ]
 dependencies = [
+    "authlib>=1.0",
     "boto3>=1.39.11",
     "click>=8.1.8",
     "duckdb>=1.2.1",
@@ -149,5 +150,5 @@ exclude = [
 ]
 
 [[tool.mypy.overrides]]
-module = ["boto3.*", "botocore.*", "pandas.*", "IPython.*", "daft.*", "lancedb.*", "pyarrow.*", "torch.*", "PIL.*", "transformers.*", "tqdm.*", "umap.*"]
+module = ["authlib.*", "boto3.*", "botocore.*", "pandas.*", "IPython.*", "daft.*", "lancedb.*", "pyarrow.*", "torch.*", "PIL.*", "transformers.*", "tqdm.*", "umap.*"]
 ignore_missing_imports = true

smoosense-py/smoosense/app.py

@@ -8,6 +8,7 @@
 from flask import Flask
 from pydantic import ConfigDict, validate_call
 
+from smoosense.handlers.auth import auth_bp, init_oauth
 from smoosense.handlers.fs import fs_bp
 from smoosense.handlers.lance import lance_bp
 from smoosense.handlers.pages import pages_bp
@@ -65,7 +66,16 @@ def create_app(self) -> Flask:
         app.config["DUCKDB_CONNECTION_MAKER"] = self.duckdb_connection_maker
         app.config["PASSOVER_CONFIG"] = self.passover_config
 
+        # Initialize Auth0 if configured
+        oauth = init_oauth(app)
+        if oauth is not None:
+            app.config["OAUTH"] = oauth
+            logger.info("Auth0 authentication enabled")
+        else:
+            logger.info("Auth0 not configured, running without authentication")
+
         # Register blueprints
+        app.register_blueprint(auth_bp, url_prefix="/auth")
         app.register_blueprint(query_bp, url_prefix="/api")
         app.register_blueprint(fs_bp, url_prefix="/api")
         app.register_blueprint(lance_bp, url_prefix="/api")