typarr.auth

OIDC authentication and role-based access control.

async typarr.auth.callback(request: Request)

Handle the OIDC callback, exchange code for tokens, and create a session.

typarr.auth.check_access(user: User, access: list[AccessEntry], min_role: str) → None

Raise 403 if the user lacks the minimum required role on a bucket.

typarr.auth.get_current_user(request: Request) → User

Extract the authenticated user from the session (or return a demo user).

typarr.auth.is_global_admin(user: User) → bool

Check if the user belongs to any of the configured admin groups.

async typarr.auth.login(request: Request)

Redirect the user to the OIDC provider for authentication.

async typarr.auth.login_page()

Serve the login page.

async typarr.auth.logout(request: Request)

Clear the session and redirect to the OIDC provider’s logout endpoint.

async typarr.auth.me(user: User = Depends(dependency=<function get_current_user>, use_cache=True, scope=None))

Return the currently authenticated user’s info including admin status.

typarr.auth.resolve_role(user: User, access: list[AccessEntry]) → str | None

Return the highest role the user holds in a bucket, or None if no access.

async typarr.auth.setup_oauth()

Register the OIDC provider with authlib and pre-fetch discovery metadata.

async typarr.auth.theme_css()

Return CSS custom properties for the configured accent colour family.