bug: Python SDK with Django session async issue

[liam-pulsation]

Python SDK with Django session async issue

Having recently discovered logto.io, we tried to implement it in Django.

We tried using TraditionalWebApp process to protect our views, following your official Flask example.

Implementation

First, I implemented /signin and /callback routes as shown in the tutorial, wrapping the logto package logic with async_to_sync decorators.

To follow the tutorial, I used session out of views using Django ref : https://docs.djangoproject.com/en/5.0/topics/http/sessions/#using-sessions-out-of-views

views.py

from logto import LogtoClient, LogtoConfig, Storage

import os
from django.views import View
from django.http import HttpResponse, HttpResponseRedirect

from importlib import import_module
from django.conf import settings

SessionStore = import_module(settings.SESSION_ENGINE).SessionStore
session = SessionStore()


class SessionStorage(Storage):
    def __init__(self):
        pass

    def get(self, key: str):
        return session.get(key, "")

    def set(self, key: str, value: str | None) -> None:
        session[key] = value

    def delete(self, key: str) -> None:
        if key in session:
            session.__delitem__(key)


client = LogtoClient(
    LogtoConfig(
        endpoint=os.environ.get("LOGTO_API_ENDPOINT"),
        appId=os.environ.get("LOGTO_API_CLIENT_ID"),
        appSecret=os.environ.get("LOGTO_API_SECRET"),
    ),
    storage=SessionStorage(),
)


class SigninView(View):
    async def get(self, request):
        uri = os.environ.get("LOGTO_API_REDIRECT_URI")
        url = await client.signIn(redirectUri=uri)
        return HttpResponseRedirect(redirect_to=url)


class CallbackView(View):
    async def get(self, request):
        absolute_uri = request.build_absolute_uri()
        try:
            await client.handleSignInCallback(absolute_uri)
            return HttpResponseRedirect(
                redirect_to=os.environ.get("LOGTO_CALLBACK_URI")
            )
        except Exception as e:
            return HttpResponse("Error: " + str(e))

urls.py

from django.urls import path

from logto_authentication.views import SigninView, CallbackView

urlpatterns = [
    path("signin/", SigninView.as_view(), name="signin"),
    path("callback/", CallbackView.as_view(), name="callback"),
]

---

Problem

As soon as synchronous code considered "critical" by Django (database operations with DjangoORM for the most part) is used during an asynchronous code cycle, Django will raise a SynchronousOnlyOperation: You cannot call this from an async context - use a thread or sync_to_async error.

Reference on this error : https://docs.djangoproject.com/en/5.0/topics/async/#async-safety

At that point, in the reference, we had option to set the settings to DJANGO_ALLOW_ASYNC_UNSAFE=True. Doing so make the whole process to work. But this poses a problem, as this deactivated barrier can cause data loss or corruption on other async.

Another option would have been to turn Storage synchronous calls to the session into asynchronous calls to the methods that require them. But your client is not adapted for using async methods inside this class, and we would need to create a new LogtoClient to do so.

settings.py

import os

os.environ["DJANGO_ALLOW_ASYNC_UNSAFE"] = "true"

---

Therefore, my question is : did anyone try TraditionalWebApp process with Django ? Did you find a way to make it work ?

Thanks in advance for your insights, and thanks for all the work you already did there !