Add Dash v4.1 backend support (Dash 4.1+) with backend-agnostic auth request/response/session/config handling

[Copilot]

Dash v4.1 decouples from Flask and introduces a pluggable backend system (app.backend) supporting Flask, FastAPI, and Quart. This library was hardwired to Flask via direct flask.request usage, @server.before_request decorator patterns, and Flask-specific config/session assumptions, breaking on the new backend abstraction.

Changes

• auth.py — Core backend abstraction + shared session/config primitives:

  • _get_request() uses app.backend.request_adapter().
  • Request protection is registered via app.backend.before_request(...).
  • Added shared backend-agnostic signed-cookie session helpers (_get_session, _save_session, _clear_session) and backend redirect helper (_redirect_response) for auth implementations.
  • Added backend-agnostic config/secret helpers (_get_config_value, _set_config_value, _get_secret_key, _set_secret_key) with app-attached settings storage and server fallback.

• basic_auth.py — Backend-agnostic response/session/config handling:

  • is_authorized() uses self._get_request() for headers.
  • Removed Flask response/session helper usage in runtime auth flow.
  • Login challenge response now uses backend response APIs.
  • Authorized user session data is persisted via shared signed-cookie session helpers.
  • Secret key assignment now uses backend-agnostic config/secret helpers.

• clerk_auth.py — Backend-agnostic Clerk runtime:

  • Removed Flask response/session helper imports and switched runtime response handling to Dash backend APIs (app.backend.make_response, app.backend.jsonify).
  • Replaced Flask session usage in Clerk flows with backend-agnostic signed-cookie session storage.
  • Continued migration of Clerk request handling to self._get_request() across redirect/auth/logout paths.
  • Kept _get_safe_redirect_url backend-compatible by using request adapter URL parsing.
  • Replaced direct app.server.config / app.server.secret_key dependencies with backend-agnostic config/secret helpers.

• oidc_auth.py — Backend-agnostic runtime response/session/config handling with Flask-backed OAuth client:

  • OIDC still retains the explicit Flask backend guard because it depends on authlib.integrations.flask_client.OAuth.
  • Runtime flows now use backend-agnostic redirect/response handling.
  • Session persistence for user/idp/token data now uses shared signed-cookie session helpers instead of direct Flask session access in auth flow methods.
  • Secure-session and secret-key settings now use backend-agnostic config/secret helpers.

• public_routes.py — Removed Flask server-config storage assumptions:

  • Public routes/callback metadata is now stored on app attributes rather than app.server.config, avoiding non-Flask config constraints.

• Tests

  • tests/test_clerk_auth.py — Safe-redirect coverage remains in place and validates request-handling behavior.
  • tests/test_backend_config_access.py — Added targeted coverage for backend-agnostic config/secret helpers and public-route storage behavior.

• dev-requirements.txt — Updated to dash[testing]>=4.1.0rc0.

• setup.py — Updated runtime requirement to dash>=4.1.0rc0.

This PR now targets a major-version behavior: pre-4.1 compatibility paths were removed and Dash 4.1+ is required.

# Dash 4.1+ with default Flask backend — works as before
app = dash.Dash()  # app.backend.server_type == "flask"
BasicAuth(app, {"user": "pass"}, secret_key="s3cr3t")

# OIDC keeps Flask backend requirement (authlib flask client), but uses
# backend-agnostic runtime response/session/config handling in auth flows.
app = dash.Dash(backend="fastapi")
OIDCAuth(app, ...)  # RuntimeError: OIDCAuth requires a Flask backend.

# ClerkAuth now uses backend response APIs, backend-agnostic config access,
# and signed cookie sessions instead of Flask response/session helpers directly.

Original prompt

---

This section details on the original issue you should resolve

<issue_title>Dash v4.1 Support</issue_title>
<issue_description>We need to update to add support for v4.1 Dash.

v4.1 Dash breaks its dependence upon Flask and now can use virtually any backend. It has a lot of plugins in the backend servers for extensibility for all the backends. Mainly before_request and after_request are the biggest things. But also cookie management.</issue_description>

Comments on the Issue (you are @copilot in this section)

• Fixes Dash v4.1 Support #28

---

📱 Kick off Copilot coding agent tasks wherever you are with GitHub Mobile, available on iOS and Android.

[BSd3v]

@copilot

Dont worry about backwards compatibility, this is going to be a major version bump.

[BSd3v]

@copilot

We want to support all backends, we will need to adjust quite a bit of code for this.

[Copilot]

Implemented in af8eb75. I removed the Flask-only backend guard in ClerkAuth and switched Clerk runtime request handling to Dash backend request adapters (self._get_request()) across the auth flow, including redirect/auth checks and logout flow request usage.

[Copilot]

@copilot

Dont worry about backwards compatibility, this is going to be a major version bump.

Done in 18e9bfe. I removed the pre-4.1 fallback paths in auth.py and bumped minimum Dash versions to 4.1+ (setup.py and dev-requirements.txt).

[Copilot]

Just as a heads up, I was blocked by some firewall rules while working on your feedback. Expand below for details.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• dash.plotly.com
  • Triggering command: /home/REDACTED/work/_temp/ghcca-node/node/bin/node /home/REDACTED/work/_temp/ghcca-node/node/bin/node --enable-source-maps /home/REDACTED/work/_temp/copilot-developer-action-main/dist/index.js (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

[BSd3v]

@copilot

This shouldnt be importing Flask, it should be relying on the backend from Dash to make_reponse, set headers, set cookies, etc. Is there a way that we can generate sessions similar to Flask sessions but be agnostic?

[Copilot]

@copilot

This shouldnt be importing Flask, it should be relying on the backend from Dash to make_reponse, set headers, set cookies, etc. Is there a way that we can generate `sessions...

Implemented in b3636b5. ClerkAuth no longer imports Flask response/session helpers and now uses Dash backend APIs (app.backend.make_response / app.backend.jsonify) plus a backend-agnostic signed cookie session store (dash_auth_plus_session) to persist auth/session data across requests.

[BSd3v]

@copilot

This needs to be done for all methods, auth, oidc, and Clerk.

[Copilot]

@copilot

This needs to be done for all methods, auth, oidc, and Clerk.

Implemented in cd2d22f. I applied the backend-agnostic response/session pattern across Auth, BasicAuth, and OIDCAuth (in addition to Clerk): shared signed-cookie session helpers now live in Auth, BasicAuth no longer imports Flask helpers, and OIDC runtime auth flows now use backend response/redirect handling with signed session persistence for user data.

[BSd3v]

@copilot

There are dependencies on things like config which arent natively available for FastAPI, these need to be updated as well.

[Copilot]

@copilot

There are dependencies on things like config which arent natively available for FastAPI, these need to be updated as well.

Implemented in a7944ce. I removed remaining direct app.server.config coupling by introducing backend-agnostic config/secret helpers in Auth and updating BasicAuth, OIDCAuth, ClerkAuth, and public_routes to use them (with app-attached settings + server fallback). I also added tests/test_backend_config_access.py to cover non-Flask config handling. UI screenshot: N/A (no UI changes in this update).