From 101650bac193360a5452ca7eeea05146b634d59c Mon Sep 17 00:00:00 2001
From: Mark Liffiton <liffiton@gmail.com>
Date: Thu, 28 Nov 2024 00:23:53 -0600
Subject: [PATCH] Refactor auth dicts to dataclasses for better type checking
 and safety.

---
 src/codehelp/context.py                       |   8 +-
 src/codehelp/context_config.py                |  20 +--
 src/codehelp/helper.py                        |  10 +-
 src/codehelp/templates/context_config.html    |   4 +-
 src/codehelp/templates/context_edit_form.html |   4 +-
 src/codehelp/templates/help_form.html         |   4 +-
 src/codehelp/templates/help_view.html         |   6 +-
 src/codehelp/templates/landing.html           |   4 +-
 src/codehelp/templates/tutor_nav_item.html    |   2 +-
 src/codehelp/tutor.py                         |  12 +-
 src/gened/auth.py                             | 164 +++++++++---------
 src/gened/class_config.py                     |   2 +-
 src/gened/classes.py                          |   8 +-
 src/gened/demo.py                             |   2 +-
 src/gened/experiments.py                      |   2 +-
 src/gened/instructor.py                       |  20 +--
 src/gened/openai.py                           |   8 +-
 src/gened/profile.py                          |   4 +-
 src/gened/queries.py                          |  10 +-
 src/gened/templates/base.html                 |  24 +--
 src/gened/templates/instructor_base.html      |   2 +-
 .../templates/instructor_class_config.html    |   4 +-
 src/gened/templates/profile_view.html         |   8 +-
 src/starburst/helper.py                       |   6 +-
 src/starburst/templates/help_view.html        |   4 +-
 src/starburst/templates/landing.html          |   2 +-
 tests/test_auth.py                            |  41 +++--
 27 files changed, 193 insertions(+), 192 deletions(-)

diff --git a/src/codehelp/context.py b/src/codehelp/context.py
index 6a01410..e23db66 100644
--- a/src/codehelp/context.py
+++ b/src/codehelp/context.py
@@ -115,7 +115,7 @@ def get_available_contexts() -> list[ContextConfig]:
     db = get_db()
     auth = get_auth()
 
-    class_id = auth['class_id']
+    class_id = auth.class_id
     # Only return contexts that are available:
     #   current date anywhere on earth (using UTC+12) is at or after the saved date
     context_rows = db.execute("SELECT * FROM contexts WHERE class_id=? AND available <= date('now', '+12 hours') ORDER BY class_order ASC", [class_id]).fetchall()
@@ -130,12 +130,12 @@ def get_context_string_by_id(ctx_id: int) -> str | None:
     db = get_db()
     auth = get_auth()
 
-    if auth['is_admin']:
+    if auth.is_admin:
         # admin can grab any context
         context_row = db.execute("SELECT * FROM context_strings WHERE id=?", [ctx_id]).fetchone()
     else:
         # for non-admin users, double-check that the context is in the current class
-        class_id = auth['class_id']
+        class_id = auth.class_id
         context_row = db.execute("SELECT * FROM context_strings WHERE class_id=? AND id=?", [class_id, ctx_id]).fetchone()
 
     if not context_row:
@@ -151,7 +151,7 @@ def get_context_by_name(ctx_name: str) -> ContextConfig | None:
     db = get_db()
     auth = get_auth()
 
-    class_id = auth['class_id']
+    class_id = auth.class_id
 
     context_row = db.execute("SELECT * FROM contexts WHERE class_id=? AND name=?", [class_id, ctx_name]).fetchone()
 
diff --git a/src/codehelp/context_config.py b/src/codehelp/context_config.py
index 71d293b..017ef68 100644
--- a/src/codehelp/context_config.py
+++ b/src/codehelp/context_config.py
@@ -51,7 +51,7 @@ def register(app: Flask) -> None:
 def config_section_render() -> Markup:
     db = get_db()
     auth = get_auth()
-    class_id = auth['class_id']
+    class_id = auth.class_id
 
     contexts = db.execute("""
         SELECT id, name, CAST(available AS TEXT) AS available
@@ -84,7 +84,7 @@ def decorated_function(*args: P.args, **kwargs: P.kwargs) -> Response | R:
         auth = get_auth()
 
         # verify the given context is in the user's current class
-        class_id = auth['class_id']
+        class_id = auth.class_id
         ctx_id = kwargs['ctx_id']
         context_row = db.execute("SELECT * FROM contexts WHERE id=?", [ctx_id]).fetchone()
         if context_row['class_id'] != class_id:
@@ -160,10 +160,10 @@ def _insert_context(class_id: int, name: str, config: str, available: str) -> in
 @bp.route("/create", methods=["POST"])
 def create_context() -> Response:
     auth = get_auth()
-    assert auth['class_id']
+    assert auth.class_id
 
     context = ContextConfig.from_request_form(request.form)
-    _insert_context(auth['class_id'], context.name, context.to_json(), "9999-12-31")  # defaults to hidden
+    _insert_context(auth.class_id, context.name, context.to_json(), "9999-12-31")  # defaults to hidden
     return redirect(url_for("class_config.config_form"))
 
 
@@ -172,11 +172,11 @@ def create_context() -> Response:
 @check_valid_context
 def copy_context(ctx_row: Row, ctx_id: int) -> Response:
     auth = get_auth()
-    assert auth['class_id']
+    assert auth.class_id
 
     # passing existing name, but _insert_context will take care of finding
     # a new, unused name in the class.
-    _insert_context(auth['class_id'], ctx_row['name'], ctx_row['config'], ctx_row['available'])
+    _insert_context(auth.class_id, ctx_row['name'], ctx_row['config'], ctx_row['available'])
     return redirect(url_for("class_config.config_form"))
 
 
@@ -189,8 +189,8 @@ def update_context(ctx_id: int, ctx_row: Row) -> Response:
 
     # names must be unique within a class: check/look for an unused name
     auth = get_auth()
-    assert auth['class_id']
-    name = _make_unique_context_name(auth['class_id'], context.name, ctx_id)
+    assert auth.class_id
+    name = _make_unique_context_name(auth.class_id, context.name, ctx_id)
 
     db.execute("UPDATE contexts SET name=?, config=? WHERE id=?", [name, context.to_json(), ctx_id])
     db.commit()
@@ -217,7 +217,7 @@ def update_order() -> str:
     db = get_db()
     auth = get_auth()
 
-    class_id = auth['class_id']  # Get the current class to ensure we don't change another class.
+    class_id = auth.class_id  # Get the current class to ensure we don't change another class.
 
     ordered_ids = request.json
     assert isinstance(ordered_ids, list)
@@ -235,7 +235,7 @@ def update_available() -> str:
     db = get_db()
     auth = get_auth()
 
-    class_id = auth['class_id']  # Get the current class to ensure we don't change another class.
+    class_id = auth.class_id  # Get the current class to ensure we don't change another class.
 
     data = request.json
     assert isinstance(data, dict)
diff --git a/src/codehelp/helper.py b/src/codehelp/helper.py
index 3c1aa08..7218fae 100644
--- a/src/codehelp/helper.py
+++ b/src/codehelp/helper.py
@@ -81,7 +81,7 @@ def help_form(llm: LLMConfig, query_id: int | None = None, class_id: int | None
         else:
             # no query specified,
             # but we can pre-select the most recently used context, if available
-            recent_row = db.execute("SELECT context_name FROM queries WHERE queries.user_id=? ORDER BY id DESC LIMIT 1", [auth['user_id']]).fetchone()
+            recent_row = db.execute("SELECT context_name FROM queries WHERE queries.user_id=? ORDER BY id DESC LIMIT 1", [auth.user_id]).fetchone()
             if recent_row:
                 selected_context_name = recent_row['context_name']
 
@@ -192,7 +192,7 @@ def run_query(llm: LLMConfig, context: ContextConfig | None, code: str, error: s
 def record_query(context: ContextConfig | None, code: str, error: str, issue: str) -> int:
     db = get_db()
     auth = get_auth()
-    role_id = auth['role_id']
+    role_id = auth.role_id
 
     if context is not None:
         context_name = context.name
@@ -204,7 +204,7 @@ def record_query(context: ContextConfig | None, code: str, error: str, issue: st
 
     cur = db.execute(
         "INSERT INTO queries (context_name, context_string_id, code, error, issue, user_id, role_id) VALUES (?, ?, ?, ?, ?, ?, ?)",
-        [context_name, context_string_id, code, error, issue, auth['user_id'], role_id]
+        [context_name, context_string_id, code, error, issue, auth.user_id, role_id]
     )
     new_row_id = cur.lastrowid
     db.commit()
@@ -253,7 +253,7 @@ def help_request(llm: LLMConfig) -> Response:
 def load_test(llm: LLMConfig) -> Response:
     # Require that we're logged in as the load_test admin user
     auth = get_auth()
-    if auth['display_name'] != 'load_test':
+    if auth.display_name != 'load_test':
         return abort(403)
 
     context = ContextConfig(name="__LOADTEST_Context")
@@ -279,7 +279,7 @@ def post_helpful() -> str:
 
     query_id = int(request.form['id'])
     value = int(request.form['value'])
-    db.execute("UPDATE queries SET helpful=? WHERE id=? AND user_id=?", [value, query_id, auth['user_id']])
+    db.execute("UPDATE queries SET helpful=? WHERE id=? AND user_id=?", [value, query_id, auth.user_id])
     db.commit()
     return ""
 
diff --git a/src/codehelp/templates/context_config.html b/src/codehelp/templates/context_config.html
index dce1673..6985001 100644
--- a/src/codehelp/templates/context_config.html
+++ b/src/codehelp/templates/context_config.html
@@ -172,7 +172,7 @@ <h3 class="title is-4">Schedule '<span x-text="ctx.name"></span>'</h3>
                 {% macro link_display_alpinejs(route) -%}
                   {# unholy combination of Jinja templating (route available in python) and Javascript string replacement (context available in JS)... #}
                   {
-                    link_URL: '{{ url_for(route, class_id=auth['class_id'], ctx_name='__replace__', _external=True) }}'.replace('__replace__', encodeURIComponent(ctx.name)),
+                    link_URL: '{{ url_for(route, class_id=auth.class_id, ctx_name='__replace__', _external=True) }}'.replace('__replace__', encodeURIComponent(ctx.name)),
                     copied: false,
                     copy_url() {
                       navigator.clipboard.writeText(this.link_URL);
@@ -207,7 +207,7 @@ <h3 class="title is-4">
                           </div>
                         </div>
                       </div>
-                      {% if "chats_experiment" in auth['class_experiments'] %}
+                      {% if "chats_experiment" in auth.class_experiments %}
                       <div class="field has-addons is-horizontal" x-data="{{ link_display_alpinejs('tutor.tutor_form') }}">
                         <div class="field-label label is-normal">Tutor Chat:</div>
                         <div class="field-body" style="flex-grow: 5;">
diff --git a/src/codehelp/templates/context_edit_form.html b/src/codehelp/templates/context_edit_form.html
index 15fffcf..d41eed6 100644
--- a/src/codehelp/templates/context_edit_form.html
+++ b/src/codehelp/templates/context_edit_form.html
@@ -11,10 +11,10 @@
   <div class="container">
     {% if context %}
       {# We're editing an existing context. #}
-      <h1 class="title">Editing context '{{ context.name }}' in class {{ auth['class_name'] }}</h1>
+      <h1 class="title">Editing context '{{ context.name }}' in class {{ auth.class_name }}</h1>
       <form class="wide-labels" action="{{ url_for(".update_context", ctx_id=context.id) }}" method="post">
     {% else %}
-      <h1 class="title">Create context in class {{ auth['class_name'] }}</h1>
+      <h1 class="title">Create context in class {{ auth.class_name }}</h1>
       <form class="wide-labels" action="{{ url_for(".create_context") }}" method="post">
     {% endif %}
 
diff --git a/src/codehelp/templates/help_form.html b/src/codehelp/templates/help_form.html
index af76d1c..1e62a0c 100644
--- a/src/codehelp/templates/help_form.html
+++ b/src/codehelp/templates/help_form.html
@@ -16,13 +16,13 @@
       {# debounce on the submit handler so that the form's actual submit fires *before* the form elements are disabled #}
       <form class="wide-labels" action="{{url_for('helper.help_request')}}" method="post" x-data="{loading: false}" x-on:pageshow.window="loading = false" x-on:submit.debounce.10ms="loading = true">
 
-      {% if auth['class_name'] %}
+      {% if auth.class_name %}
       <div class="field is-horizontal">
         <div class="field-label">
           <label class="label">Class:</label>
         </div>
         <div class="field-body">
-          {{ auth['class_name'] }}
+          {{ auth.class_name }}
         </div>
       </div>
       {% elif llm.tokens_remaining != None %}
diff --git a/src/codehelp/templates/help_view.html b/src/codehelp/templates/help_view.html
index 307ea3f..d703120 100644
--- a/src/codehelp/templates/help_view.html
+++ b/src/codehelp/templates/help_view.html
@@ -21,7 +21,7 @@
     {% if query %}
 
     <div class="container">
-      {% if auth['user_id'] != query.user_id %}
+      {% if auth.user_id != query.user_id %}
       <div class="field is-horizontal">
         <div class="field-label">
           <label class="label">User:</label>
@@ -124,7 +124,7 @@ <h1><span class="title is-size-4">Response</span> <span class="subtitle ml-5 is-
         </div>
       </div>
 
-      {% if auth['user_id'] == query.user_id and 'main' in responses %}
+      {% if auth.user_id == query.user_id and 'main' in responses %}
       <div class="card-content p-2 pl-5" style="background: #e8e8e8;" x-data="{helpful: {{"null" if query.helpful == None else query.helpful}}}">
         <script type="text/javascript">
           function post_helpful(value) {
@@ -163,7 +163,7 @@ <h1><span class="title is-size-4">Response</span> <span class="subtitle ml-5 is-
       </div>
       {% endif %}
 
-      {% if auth['is_tester'] and 'main' in responses %}
+      {% if auth.is_tester and 'main' in responses %}
         <div class="card-content content p-2 pl-5">
           <h2 class="is-size-5">Related Topics</h2>
           {% if topics %}
diff --git a/src/codehelp/templates/landing.html b/src/codehelp/templates/landing.html
index 588eb0a..24170f5 100644
--- a/src/codehelp/templates/landing.html
+++ b/src/codehelp/templates/landing.html
@@ -33,7 +33,7 @@ <h2 class="has-text-white">Ask it...</h2>
       </div>
     </div>
     <p class="has-text-centered mt-5 mb-3">
-    {% if auth['user_id'] %}
+    {% if auth.user_id %}
       <a class="button is-link is-light is-rounded is-size-4" href="{{ url_for('helper.help_form') }}">
         Try it now!
       </a>
@@ -66,7 +66,7 @@ <h2>For Instructors</h2>
               <li>Everyone will sign in <b>automatically</b> (no separate login) via a link from your course page.</li>
               <li>Takes some time to set up, and may require support from your LMS administrator.</li>
             </ul>
-            {% if auth['user_id'] and auth['auth_provider'] != 'demo' %}
+            {% if auth.user_id and auth.auth_provider != 'demo' %}
               <a class="button button-inline is-link is-size-5" href="{{ url_for("profile.main") }}">Go to your Profile page</a> to manually create a class.
             {% else %}
               <a class="button button-inline is-link is-size-5" href="{{ url_for("auth.login", next=url_for("profile.main")) }}">Sign in using Google, GitHub, or Microsoft</a> and manually create a class from your profile page.
diff --git a/src/codehelp/templates/tutor_nav_item.html b/src/codehelp/templates/tutor_nav_item.html
index d8b06de..743a315 100644
--- a/src/codehelp/templates/tutor_nav_item.html
+++ b/src/codehelp/templates/tutor_nav_item.html
@@ -4,7 +4,7 @@
 SPDX-License-Identifier: AGPL-3.0-only
 #}
 
-{% if auth['user_id'] and "chats_experiment" in auth['class_experiments'] %}
+{% if auth.user_id and "chats_experiment" in auth.class_experiments %}
   <a class="navbar-item has-text-success" href="{{ url_for('tutor.tutor_form') }}">
     <div class="icon-text">
       <span class="icon">
diff --git a/src/codehelp/tutor.py b/src/codehelp/tutor.py
index d5fad88..eb3e0bc 100644
--- a/src/codehelp/tutor.py
+++ b/src/codehelp/tutor.py
@@ -145,8 +145,8 @@ def chat_interface(chat_id: int) -> str | Response:
 def create_chat(topic: str, context: ContextConfig | None) -> int:
     db = get_db()
     auth = get_auth()
-    user_id = auth['user_id']
-    role_id = auth['role_id']
+    user_id = auth.user_id
+    role_id = auth.role_id
 
     if context is not None:
         context_name = context.name
@@ -172,7 +172,7 @@ def get_chat_history(limit: int = 10) -> list[Row]:
     db = get_db()
     auth = get_auth()
 
-    history = db.execute("SELECT * FROM chats WHERE user_id=? ORDER BY id DESC LIMIT ?", [auth['user_id'], limit]).fetchall()
+    history = db.execute("SELECT * FROM chats WHERE user_id=? ORDER BY id DESC LIMIT ?", [auth.user_id, limit]).fetchall()
     return history
 
 
@@ -194,9 +194,9 @@ def get_chat(chat_id: int) -> tuple[list[ChatCompletionMessageParam], str, str,
         raise ChatNotFoundError
 
     access_allowed = \
-        (auth['user_id'] == chat_row['user_id']) \
-        or auth['is_admin'] \
-        or (auth['role'] == 'instructor' and auth['class_id'] == chat_row['class_id'])
+        (auth.user_id == chat_row['user_id']) \
+        or auth.is_admin \
+        or (auth.role == 'instructor' and auth.class_id == chat_row['class_id'])
 
     if not access_allowed:
         raise AccessDeniedError
diff --git a/src/gened/auth.py b/src/gened/auth.py
index af47f9b..0b97726 100644
--- a/src/gened/auth.py
+++ b/src/gened/auth.py
@@ -3,9 +3,10 @@
 # SPDX-License-Identifier: AGPL-3.0-only
 
 from collections.abc import Callable
+from dataclasses import dataclass, field
 from functools import wraps
 from sqlite3 import Row
-from typing import Literal, ParamSpec, TypedDict, TypeVar
+from typing import Literal, ParamSpec, TypeVar
 
 from flask import (
     Blueprint,
@@ -31,23 +32,25 @@
 ProviderType = Literal['local', 'lti', 'demo', 'google', 'github', 'microsoft']
 RoleType = Literal['instructor', 'student']
 
-class ClassDict(TypedDict):
+@dataclass(frozen=True)
+class ClassData:
     class_id: int
     class_name: str
     role: RoleType
 
-class AuthDict(TypedDict, total=False):
-    user_id: int | None
-    auth_provider: ProviderType
-    display_name: str
-    is_admin: bool
-    is_tester: bool
-    class_id: int | None    # current class ID
-    class_name: str | None  # current class name
-    role_id: int | None     # current role
-    role: RoleType | None   # current role name (e.g., 'instructor')
-    class_experiments: list[str]  # any experiments the current class is registered in
-    other_classes: list[ClassDict]  # for storing active classes that are not the user's current class
+@dataclass(frozen=True)
+class AuthData:
+    user_id: int | None = None
+    is_admin: bool = False
+    is_tester: bool = False
+    auth_provider: ProviderType | None = None
+    display_name: str | None = None
+    class_id: int | None = None    # current class ID
+    class_name: str | None = None  # current class name
+    role_id: int | None = None     # current role
+    role: RoleType | None = None   # current role name (e.g., 'instructor')
+    class_experiments: list[str] = field(default_factory=list)  # any experiments the current class is registered in
+    other_classes: list[ClassData] = field(default_factory=list)  # for storing active classes that are not the user's current class
 
 
 def _invalidate_g_auth() -> None:
@@ -81,25 +84,19 @@ def set_session_auth_class(class_id: int | None) -> None:
     _invalidate_g_auth()
 
 
-def _get_auth_from_session() -> AuthDict:
+def _get_auth_from_session() -> AuthData:
     """ Populate auth data for the current session based on its current
-        user_id and role_id (if any).
+        user_id and class_id (if any).
     """
-    base: AuthDict = {
-        'user_id': None,
-        'is_admin': False,
-        'is_tester': False,
-        'role': None,
-    }
     # Get the session auth dict, or an empty dict if it's not there, to find
-    # current user_id and role_id (if any).
+    # current user_id (if any).
     sess_auth = session.get(AUTH_SESSION_KEY, {})
-    sess_user = sess_auth.get('user_id', None)
-    sess_class = sess_auth.get('class_id', None)
+    user_id = sess_auth.get('user_id', None)
+    class_id = sess_auth.get('class_id', None)
 
-    if not sess_user:
-        # No logged in user; return the base/empty auth data
-        return base
+    if not user_id:
+        # No logged in user; return the default/empty auth data
+        return AuthData()
 
     db = get_db()
 
@@ -113,29 +110,17 @@ def _get_auth_from_session() -> AuthDict:
         FROM users
         LEFT JOIN auth_providers ON auth_providers.id=users.auth_provider
         WHERE users.id=?
-    """, [sess_user]).fetchone()
+    """, [user_id]).fetchone()
 
     if not user_row:
         # Fall through if user_id is not in database (deleted from DB?)
-        return base
-
-    # Create a new AuthDict and populate with data from the database
-    auth_dict: AuthDict = {
-        # from session
-        'user_id': sess_user,
-        'class_id': sess_class,
-        # from DB
-        'display_name': user_row['display_name'],
-        'is_admin': user_row['is_admin'],
-        'is_tester': user_row['is_tester'],
-        'auth_provider': user_row['auth_provider'],
-        # to be filled
-        'class_name': None,
-        'class_experiments': [],
-        'role_id': None,
-        'role': None,
-        'other_classes': [],
-    }
+        return AuthData()
+
+    # Collect auth data values
+    display_name=user_row['display_name']
+    is_admin=user_row['is_admin']
+    is_tester=user_row['is_tester']
+    auth_provider=user_row['auth_provider']
 
     # Check the database for any active roles (may be changed by another user)
     # and populate class/role information.
@@ -151,43 +136,60 @@ def _get_auth_from_session() -> AuthDict:
         JOIN classes ON classes.id=roles.class_id
         WHERE roles.user_id=? AND roles.active=1
         ORDER BY roles.id DESC
-    """, [auth_dict['user_id']]).fetchall()
+    """, [user_id]).fetchall()
+
+    role_id = None
+    role = None
+    class_experiments = []
+    other_classes = []
+    class_name = None
 
-    found_role = False  # track whether the current role from auth is actually found as an active role
     for row in role_rows:
-        if row['class_id'] == auth_dict['class_id']:
-            found_role = True
-            # add class/role info to auth_dict
-            auth_dict['role_id'] = row['role_id']
-            auth_dict['role'] = row['role']
+        if row['class_id'] == class_id:
+            # capture class/role info
+            role_id = row['role_id']
+            role = row['role']
             # check for any registered experiments in the current class
-            experiment_class_rows = db.execute("SELECT experiments.name FROM experiments JOIN experiment_class ON experiment_class.experiment_id=experiments.id WHERE experiment_class.class_id=?", [auth_dict['class_id']]).fetchall()
-            auth_dict['class_experiments'] = [row['name'] for row in experiment_class_rows]
+            experiment_class_rows = db.execute("SELECT experiments.name FROM experiments JOIN experiment_class ON experiment_class.experiment_id=experiments.id WHERE experiment_class.class_id=?", [class_id]).fetchall()
+            class_experiments = [row['name'] for row in experiment_class_rows]
         elif row['enabled']:
             # store a list of any other classes that are enabled (for navbar switching UI)
-            class_dict: ClassDict = {
-                'class_id': row['class_id'],
-                'class_name': row['name'],
-                'role': row['role'],
-            }
-            auth_dict['other_classes'].append(class_dict)
-
-    if not found_role and not auth_dict['is_admin']:
+            class_data = ClassData(
+                class_id=row['class_id'],
+                class_name=row['name'],
+                role=row['role']
+            )
+            other_classes.append(class_data)
+
+    if not role_id and not is_admin:
         # ensure we don't keep a class_id in auth if it's not a valid/active one
-        auth_dict['class_id'] = None
+        class_id = None
 
-    if auth_dict['class_id'] is not None:
+    if class_id is not None:
         # get the class name (after all the above has shaken out)
-        class_row = db.execute("SELECT name FROM classes WHERE id=?", [auth_dict['class_id']]).fetchone()
-        auth_dict['class_name'] = class_row['name']
+        class_row = db.execute("SELECT name FROM classes WHERE id=?", [class_id]).fetchone()
+        class_name = class_row['name']
         # admin gets instructor role in all classes automatically
-        if auth_dict['is_admin']:
-            auth_dict['role'] = 'instructor'
-
-    return auth_dict
-
-
-def get_auth() -> AuthDict:
+        if is_admin:
+            role = 'instructor'
+
+    # return an AuthData with all collected values
+    return AuthData(
+        user_id=user_id,
+        is_admin=is_admin,
+        is_tester=is_tester,
+        auth_provider=auth_provider,
+        display_name=display_name,
+        class_id=class_id,
+        class_name=class_name,
+        role_id=role_id,
+        role=role,
+        class_experiments=class_experiments,
+        other_classes=other_classes
+    )
+
+
+def get_auth() -> AuthData:
     if 'auth' not in g:
         g.auth = _get_auth_from_session()
 
@@ -316,7 +318,7 @@ def login_required(f: Callable[P, R]) -> Callable[P, Response | R]:
     @wraps(f)
     def decorated_function(*args: P.args, **kwargs: P.kwargs) -> Response | R:
         auth = get_auth()
-        if not auth['user_id']:
+        if not auth.user_id:
             flash("Login required.", "warning")
             return redirect(url_for('auth.login', next=request.full_path))
         return f(*args, **kwargs)
@@ -327,7 +329,7 @@ def instructor_required(f: Callable[P, R]) -> Callable[P, Response | R]:
     @wraps(f)
     def decorated_function(*args: P.args, **kwargs: P.kwargs) -> Response | R:
         auth = get_auth()
-        if auth['role'] != "instructor":
+        if auth.role != "instructor":
             flash("Instructor login required.", "warning")
             return redirect(url_for('auth.login', next=request.full_path))
         return f(*args, **kwargs)
@@ -338,7 +340,7 @@ def class_enabled_required(f: Callable[P, R]) -> Callable[P, str | R]:
     @wraps(f)
     def decorated_function(*args: P.args, **kwargs: P.kwargs) -> str | R:
         auth = get_auth()
-        class_id = auth['class_id']
+        class_id = auth.class_id
 
         if class_id is None:
             # No active class, no problem
@@ -361,7 +363,7 @@ def admin_required(f: Callable[P, R]) -> Callable[P, Response | R]:
     @wraps(f)
     def decorated_function(*args: P.args, **kwargs: P.kwargs) -> Response | R:
         auth = get_auth()
-        if not auth['is_admin']:
+        if not auth.is_admin:
             flash("Login required.", "warning")
             return redirect(url_for('auth.login', next=request.full_path))
         return f(*args, **kwargs)
@@ -373,7 +375,7 @@ def tester_required(f: Callable[P, R]) -> Callable[P, Response | R]:
     @wraps(f)
     def decorated_function(*args: P.args, **kwargs: P.kwargs) -> Response | R:
         auth = get_auth()
-        if not auth['is_tester']:
+        if not auth.is_tester:
             return abort(404)
         return f(*args, **kwargs)
     return decorated_function
diff --git a/src/gened/class_config.py b/src/gened/class_config.py
index 380dc4d..90056ad 100644
--- a/src/gened/class_config.py
+++ b/src/gened/class_config.py
@@ -43,7 +43,7 @@ def config_form() -> str:
     db = get_db()
     auth = get_auth()
 
-    class_id = auth['class_id']
+    class_id = auth.class_id
 
     class_row = db.execute("""
         SELECT classes.id, classes.enabled, classes_user.link_ident, classes_user.link_reg_expires, classes_user.openai_key, classes_user.model_id
diff --git a/src/gened/classes.py b/src/gened/classes.py
index 1aeebb1..8db1eb6 100644
--- a/src/gened/classes.py
+++ b/src/gened/classes.py
@@ -159,11 +159,11 @@ def switch_class(class_id: int | None) -> bool:
     auth = get_auth()
 
     # admins can access any class, but we don't bother setting last_class_id for them
-    if auth['is_admin']:
+    if auth.is_admin:
         set_session_auth_class(class_id)
         return True
 
-    user_id = auth['user_id']
+    user_id = auth.user_id
     db = get_db()
 
     if class_id:
@@ -207,7 +207,7 @@ def leave_class_handler() -> Response:
 @bp.route("/create/", methods=['POST'])
 def create_class() -> Response:
     auth = get_auth()
-    user_id = auth['user_id']
+    user_id = auth.user_id
     assert user_id is not None
 
     class_name = request.form['class_name']
@@ -231,7 +231,7 @@ def access_class(class_ident: str) -> str | Response:
     db = get_db()
 
     auth = get_auth()
-    user_id = auth['user_id']
+    user_id = auth.user_id
 
     # Get the class info
     class_row = db.execute("""
diff --git a/src/gened/demo.py b/src/gened/demo.py
index a2cbaeb..358ada3 100644
--- a/src/gened/demo.py
+++ b/src/gened/demo.py
@@ -28,7 +28,7 @@
 def demo_register_user(demo_name: str) -> str | Response:
     # Can't create a demo user if already logged in.
     auth = get_auth()
-    if auth['user_id']:
+    if auth.user_id:
         flash("You are already logged in.", "warning")
         return render_template("error.html")
 
diff --git a/src/gened/experiments.py b/src/gened/experiments.py
index 9abf343..8260833 100644
--- a/src/gened/experiments.py
+++ b/src/gened/experiments.py
@@ -31,7 +31,7 @@ def current_class_in_experiment(experiment_name: str) -> bool:
     experiment_class_rows = db.execute("SELECT experiment_class.class_id FROM experiments JOIN experiment_class ON experiment_class.experiment_id=experiments.id WHERE experiments.name=?", [experiment_name]).fetchall()
     experiment_class_ids = [row['class_id'] for row in experiment_class_rows]
     auth = get_auth()
-    return 'class_id' in auth and auth['class_id'] in experiment_class_ids
+    return auth.class_id in experiment_class_ids
 
 # Decorator for routes designated as part of an experiment
 # For decorator type hints
diff --git a/src/gened/instructor.py b/src/gened/instructor.py
index 3c77a8f..b5c3f8d 100644
--- a/src/gened/instructor.py
+++ b/src/gened/instructor.py
@@ -120,7 +120,7 @@ def get_users(class_id: int, for_export: bool = False) -> list[Row]:
 @bp.route("/")
 def main() -> str | Response:
     auth = get_auth()
-    class_id = auth['class_id']
+    class_id = auth.class_id
     assert class_id is not None
 
     users = get_users(class_id)
@@ -143,8 +143,8 @@ def get_csv(kind: str) -> str | Response:
         return abort(404)
 
     auth = get_auth()
-    class_id = auth['class_id']
-    class_name = auth['class_name']
+    class_id = auth.class_id
+    class_name = auth.class_name
     assert class_id is not None
     assert class_name is not None
 
@@ -162,7 +162,7 @@ def set_user_class_setting() -> Response:
     auth = get_auth()
 
     # only trust class_id from auth, not from user
-    class_id = auth['class_id']
+    class_id = auth.class_id
 
     if 'clear_openai_key' in request.form:
         db.execute("UPDATE classes_user SET openai_key='' WHERE class_id=?", [class_id])
@@ -202,13 +202,13 @@ def set_role_active(role_id: int, bool_active: int) -> str:
     auth = get_auth()
 
     # prevent instructors from mistakenly making themselves not active and locking themselves out
-    if role_id == auth['role_id']:
+    if role_id == auth.role_id:
         return "You cannot make yourself inactive."
 
     # class_id should be redundant w/ role_id, but without it, an instructor
     # could potentially deactivate a role in someone else's class.
     # only trust class_id from auth, not from user
-    class_id = auth['class_id']
+    class_id = auth.class_id
 
     db.execute("UPDATE roles SET active=? WHERE id=? AND class_id=?", [bool_active, role_id, class_id])
     db.commit()
@@ -223,13 +223,13 @@ def set_role_instructor(role_id: int, bool_instructor: int) -> str:
     auth = get_auth()
 
     # prevent instructors from mistakenly making themselves not instructors and locking themselves out
-    if role_id == auth['role_id']:
+    if role_id == auth.role_id:
         return "You cannot change your own role."
 
     # class_id should be redundant w/ role_id, but without it, an instructor
     # could potentially deactivate a role in someone else's class.
     # only trust class_id from auth, not from user
-    class_id = auth['class_id']
+    class_id = auth.class_id
 
     new_role = 'instructor' if bool_instructor else 'student'
 
@@ -243,9 +243,9 @@ def set_role_instructor(role_id: int, bool_instructor: int) -> str:
 def delete_class() -> Response:
     db = get_db()
     auth = get_auth()
-    class_id = auth['class_id']
+    class_id = auth.class_id
     assert class_id is not None
-    assert str(auth['class_id']) == str(request.form.get('class_id'))
+    assert str(auth.class_id) == str(request.form.get('class_id'))
 
     # Require explicit confirmation
     if request.form.get('confirm_delete') != 'DELETE':
diff --git a/src/gened/openai.py b/src/gened/openai.py
index 5b191e2..2310b29 100644
--- a/src/gened/openai.py
+++ b/src/gened/openai.py
@@ -77,7 +77,7 @@ def make_system_client(tokens_remaining: int | None = None) -> LLMConfig:
     auth = get_auth()
 
     # Get class data, if there is an active class
-    if auth['class_id']:
+    if auth.class_id is not None:
         class_row = db.execute("""
             SELECT
                 classes.enabled,
@@ -94,7 +94,7 @@ def make_system_client(tokens_remaining: int | None = None) -> LLMConfig:
             LEFT JOIN models
               ON models.id = _model_id
             WHERE classes.id = ?
-        """, [auth['class_id']]).fetchone()
+        """, [auth.class_id]).fetchone()
 
         if not class_row['enabled']:
             raise ClassDisabledError
@@ -117,7 +117,7 @@ def make_system_client(tokens_remaining: int | None = None) -> LLMConfig:
         JOIN auth_providers
           ON users.auth_provider = auth_providers.id
         WHERE users.id = ?
-    """, [auth['user_id']]).fetchone()
+    """, [auth.user_id]).fetchone()
 
     if user_row['auth_provider_name'] == "local":
         return make_system_client()
@@ -129,7 +129,7 @@ def make_system_client(tokens_remaining: int | None = None) -> LLMConfig:
 
     if spend_token:
         # user.tokens > 0, so decrement it and use the system key
-        db.execute("UPDATE users SET query_tokens=query_tokens-1 WHERE id=?", [auth['user_id']])
+        db.execute("UPDATE users SET query_tokens=query_tokens-1 WHERE id=?", [auth.user_id])
         db.commit()
         tokens -= 1
 
diff --git a/src/gened/profile.py b/src/gened/profile.py
index ca25382..cdcedaa 100644
--- a/src/gened/profile.py
+++ b/src/gened/profile.py
@@ -15,7 +15,7 @@
 def main() -> str:
     db = get_db()
     auth = get_auth()
-    user_id = auth['user_id']
+    user_id = auth.user_id
     user = db.execute("""
         SELECT
             users.*,
@@ -28,7 +28,7 @@ def main() -> str:
         WHERE users.id=?
     """, [user_id]).fetchone()
 
-    class_id = auth['class_id'] or -1   # can't do a != to None/null, so convert that to -1 to match all classes in that case
+    class_id = auth.class_id or -1   # can't do a != to None/null, so convert that to -1 to match all classes in that case
     other_classes = db.execute("""
         SELECT
             classes.id,
diff --git a/src/gened/queries.py b/src/gened/queries.py
index 9d6e8f7..0204dfa 100644
--- a/src/gened/queries.py
+++ b/src/gened/queries.py
@@ -17,12 +17,12 @@ def get_query(query_id: int) -> tuple[Row, dict[str, str]] | tuple[None, None]:
 
     query_row = None
 
-    if auth['is_admin']:
+    if auth.is_admin:
         cur = db.execute("SELECT queries.*, users.display_name FROM queries JOIN users ON queries.user_id=users.id WHERE queries.id=?", [query_id])
-    elif auth['role'] == 'instructor':
-        cur = db.execute("SELECT queries.*, users.display_name FROM queries JOIN users ON queries.user_id=users.id JOIN roles ON queries.role_id=roles.id WHERE (roles.class_id=? OR queries.user_id=?) AND queries.id=?", [auth['class_id'], auth['user_id'], query_id])
+    elif auth.role == 'instructor':
+        cur = db.execute("SELECT queries.*, users.display_name FROM queries JOIN users ON queries.user_id=users.id JOIN roles ON queries.role_id=roles.id WHERE (roles.class_id=? OR queries.user_id=?) AND queries.id=?", [auth.class_id, auth.user_id, query_id])
     else:
-        cur = db.execute("SELECT queries.*, users.display_name FROM queries JOIN users ON queries.user_id=users.id WHERE queries.user_id=? AND queries.id=?", [auth['user_id'], query_id])
+        cur = db.execute("SELECT queries.*, users.display_name FROM queries JOIN users ON queries.user_id=users.id WHERE queries.user_id=? AND queries.id=?", [auth.user_id, query_id])
     query_row = cur.fetchone()
 
     if not query_row:
@@ -42,6 +42,6 @@ def get_history(limit: int = 10) -> list[Row]:
     db = get_db()
     auth = get_auth()
 
-    cur = db.execute("SELECT * FROM queries WHERE queries.user_id=? ORDER BY query_time DESC LIMIT ?", [auth['user_id'], limit])
+    cur = db.execute("SELECT * FROM queries WHERE queries.user_id=? ORDER BY query_time DESC LIMIT ?", [auth.user_id, limit])
     history = cur.fetchall()
     return history
diff --git a/src/gened/templates/base.html b/src/gened/templates/base.html
index 2b1d81f..59499a3 100644
--- a/src/gened/templates/base.html
+++ b/src/gened/templates/base.html
@@ -64,7 +64,7 @@
       </div>
       <div class="navbar-menu" x-bind:class="menu_open ? 'is-active' : ''">
         <div class="navbar-start">
-        {% if auth['user_id'] %}
+        {% if auth.user_id %}
           <a class="navbar-item has-text-success" href="{{ url_for('helper.help_form') }}">
             <div class="icon-text">
               <span class="icon">
@@ -79,15 +79,15 @@
         {% endfor %}
         </div>
         <div class="navbar-end">
-          {% if auth['user_id'] %}
-            {% set class_name=auth['class_name'] %}
-            {% set has_dropdown=(class_name and auth['is_admin']) or (auth['other_classes']) %}
+          {% if auth.user_id %}
+            {% set class_name=auth.class_name %}
+            {% set has_dropdown=(class_name and auth.is_admin) or (auth.other_classes) %}
             <a class="navbar-item dropdown dropdown-trigger is-hoverable is-size-6" {% if has_dropdown %}aria-haspopup="true" aria-controls="classes-menu"{% endif %} style="flex-direction: column; justify-content: center;" href="{{ url_for('profile.main') }}">
               <div class="icon-text">
                 <span class="icon">
                   <svg aria-hidden="true"><use href="#svg_user" /></svg>
                 </span>
-                <span class="is-italic">{{ auth['display_name'] }}</span>
+                <span class="is-italic">{{ auth.display_name }}</span>
               </div>
               {% if class_name %}
                 <div>
@@ -102,12 +102,12 @@
                     <div class="dropdown-item">
                       Switch class:
                     </div>
-                    {% for class in auth['other_classes'] %}
+                    {% for class in auth.other_classes %}
                     <div class="dropdown-item">
-                      <button class="button is-rounded is-link is-outlined is-small" type="button" onclick="location.assign('{{ url_for("classes.switch_class_handler", class_id=class['class_id'], next=request.path) }}'); return false;">{{ class['class_name'] }} ({{ class['role'] }})</button>
+                      <button class="button is-rounded is-link is-outlined is-small" type="button" onclick="location.assign('{{ url_for("classes.switch_class_handler", class_id=class.class_id, next=request.path) }}'); return false;">{{ class.class_name }} ({{ class.role }})</button>
                     </div>
                     {% endfor %}
-                    {% if auth['is_admin'] and class_name %}
+                    {% if auth.is_admin and class_name %}
                     <div class="dropdown-item">
                       <button class="button is-rounded is-danger is-light is-outlined is-small" type="button" onclick="location.assign('{{ url_for("classes.leave_class_handler") }}'); return false;">Leave class</button>
                     </div>
@@ -117,7 +117,7 @@
               {% endif %}
             </a>
 
-            {% if auth['role'] == 'instructor' %}
+            {% if auth.role == 'instructor' %}
               <a class="navbar-item is-size-6 has-text-success" href="/instructor/config">
                 <div class="icon-text">
                   <span class="icon" title="Configure Class">
@@ -135,7 +135,7 @@
                 </div>
               </a>
             {% endif %}
-            {% if auth['is_admin'] %}
+            {% if auth.is_admin %}
               <a class="navbar-item is-size-6 has-text-danger" href="/admin/">
                 <div class="icon-text">
                   <span class="icon">
@@ -169,13 +169,13 @@
       </div>
     </nav>
 
-    {% if auth['is_admin'] and auth['class_id'] is integer and auth['role_id'] is none %}
+    {% if auth.is_admin and auth.class_id is integer and auth.role_id is none %}
     <div class="has-background-link has-text-light has-text-centered p-2">
       <span class="icon-text">
         <span class="icon">
           <svg aria-hidden="true"><use href="#svg_admin" /></svg>
         </span>
-        Admin in '{{ auth['class_name'] }}' as instructor role.
+        Admin in '{{ auth.class_name }}' as instructor role.
         <button class="button is-rounded is-light is-outlined is-small ml-3" type="button" onclick="location.assign('{{ url_for("classes.leave_class_handler") }}'); return false;">Leave class</button>
       </span>
     </div>
diff --git a/src/gened/templates/instructor_base.html b/src/gened/templates/instructor_base.html
index a7d57fd..5d92ef8 100644
--- a/src/gened/templates/instructor_base.html
+++ b/src/gened/templates/instructor_base.html
@@ -13,7 +13,7 @@
 
 {% block body %}
 <section class="section p-5">
-  <h1 class="title">{{ auth['class_name'] }}</h1>
+  <h1 class="title">{{ auth.class_name }}</h1>
   <div class="tbl_cols">
     <div class="tbl_col" style="width: 35em;">
       <h2 class="is-size-3">Users</h2>
diff --git a/src/gened/templates/instructor_class_config.html b/src/gened/templates/instructor_class_config.html
index 0c68a47..091f729 100644
--- a/src/gened/templates/instructor_class_config.html
+++ b/src/gened/templates/instructor_class_config.html
@@ -38,7 +38,7 @@
 }
 </style>
 <section class="section">
-  <h1 class="title">{{ auth['class_name'] }} Configuration</h1>
+  <h1 class="title">{{ auth.class_name }} Configuration</h1>
   <div class="conf_cols">
     <div class="conf_col">
       <h2 class="title is-size-4">Access</h2>
@@ -256,7 +256,7 @@ <h2 class="title is-4 has-text-danger">Delete Class Data</h2>
       <p>Users will <strong>not</strong> be deleted, nor will their data in any other class.</p>
     </div>
     <form method="POST" action="{{ url_for('instructor.delete_class') }}" class="field has-addons">
-      <input type="hidden" name="class_id", value="{{ auth['class_id'] }}">
+      <input type="hidden" name="class_id", value="{{ auth.class_id }}">
       <div class="control">
         <input class="input" type="text" name="confirm_delete" placeholder="Type DELETE to confirm">
       </div>
diff --git a/src/gened/templates/profile_view.html b/src/gened/templates/profile_view.html
index 91b09e6..9069481 100644
--- a/src/gened/templates/profile_view.html
+++ b/src/gened/templates/profile_view.html
@@ -49,7 +49,7 @@ <h1 class="title">Your Profile</h1>
       {% endif %}
       <dt>Queries:</dt>
       <dd>{{ user.num_queries }} total, {{ user.num_recent_queries }} in the past week.</dd>
-      {% if not auth['role'] %}
+      {% if not auth.role %}
       <dt>Free Queries:</dt>
       <dd>
         {{ user.query_tokens }} remaining.
@@ -70,8 +70,8 @@ <h2 class="title is-size-3">
     </h2>
     <dl class="profile">
       <dt>Current:</dt>
-      {% if auth['role'] %}
-        <dd>{{ auth['class_name'] }} ({{ auth['role'] }})</dd>
+      {% if auth.role %}
+        <dd>{{ auth.class_name }} ({{ auth.role }})</dd>
       {% else %}
         <dd>None active.</dd>
       {% endif %}
@@ -139,7 +139,7 @@ <h2>Create a New Class</h2>
       </div>
     </dialog>
   {% endif %}
-  {% if not auth['role'] %}
+  {% if not auth.role %}
     {% include "free_query_dialog.html" %}
   {% endif %}
 </section>
diff --git a/src/starburst/helper.py b/src/starburst/helper.py
index da37e0c..2a7f128 100644
--- a/src/starburst/helper.py
+++ b/src/starburst/helper.py
@@ -84,11 +84,11 @@ def run_query(llm: LLMConfig, assignment: str, topics: str) -> int:
 def record_query(assignment: str, topics: str) -> int:
     db = get_db()
     auth = get_auth()
-    role_id = auth['role_id']
+    role_id = auth.role_id
 
     cur = db.execute(
         "INSERT INTO queries (assignment, topics, user_id, role_id) VALUES (?, ?, ?, ?)",
-        [assignment, topics, auth['user_id'], role_id]
+        [assignment, topics, auth.user_id, role_id]
     )
     new_row_id = cur.lastrowid
     db.commit()
@@ -128,6 +128,6 @@ def post_helpful() -> str:
 
     query_id = int(request.form['id'])
     value = int(request.form['value'])
-    db.execute("UPDATE queries SET helpful=? WHERE id=? AND user_id=?", [value, query_id, auth['user_id']])
+    db.execute("UPDATE queries SET helpful=? WHERE id=? AND user_id=?", [value, query_id, auth.user_id])
     db.commit()
     return ""
diff --git a/src/starburst/templates/help_view.html b/src/starburst/templates/help_view.html
index 40c8533..e86aada 100644
--- a/src/starburst/templates/help_view.html
+++ b/src/starburst/templates/help_view.html
@@ -14,7 +14,7 @@
     {% if query %}
 
     <div class="container">
-      {% if auth['user_id'] != query.user_id %}
+      {% if auth.user_id != query.user_id %}
       <div class="field is-horizontal">
         <div class="field-label">
           <label class="label">User:</label>
@@ -81,7 +81,7 @@
         </div>
       </div>
 
-      {% if auth['user_id'] == query.user_id and 'main' in responses %}
+      {% if auth.user_id == query.user_id and 'main' in responses %}
       <div class="card-content p-2 pl-5" style="background: #e5e5e5;" x-data="{helpful: {{"null" if query.helpful == None else query.helpful}}}">
         <script type="text/javascript">
           function post_helpful(value) {
diff --git a/src/starburst/templates/landing.html b/src/starburst/templates/landing.html
index c543bea..161e405 100644
--- a/src/starburst/templates/landing.html
+++ b/src/starburst/templates/landing.html
@@ -12,7 +12,7 @@
     <div class="box content has-background-link-light has-text-dark is-size-3">
       <h1 class="is-size-1">Starburst: Use AI to explore writing topics.</h1>
       <p>It's like a brainstorming partner, suggesting keywords, concepts, and connections related to the seeds you provide.</p>
-      {% if auth['user_id'] %}
+      {% if auth.user_id %}
       <a class="button is-link is-large" href="{{ url_for('helper.help_form') }}">
         Try it now
       </a>
diff --git a/tests/test_auth.py b/tests/test_auth.py
index 038e501..d839d0d 100644
--- a/tests/test_auth.py
+++ b/tests/test_auth.py
@@ -42,24 +42,23 @@ def check_login(
 
             # Verify session auth contains correct values for logged-in user
             sessauth = get_auth()
-            assert sessauth['user_id']
-            assert sessauth['display_name'] == username
-            assert sessauth['is_admin'] == is_admin
-            assert sessauth['class_id'] is None
-            assert sessauth['role_id'] is None
-            assert 'auth_provider' in sessauth
-            assert sessauth['auth_provider'] == 'local'
+            assert sessauth.user_id
+            assert sessauth.display_name == username
+            assert sessauth.is_admin == is_admin
+            assert sessauth.class_id is None
+            assert sessauth.role_id is None
+            assert sessauth.auth_provider == 'local'
 
         else:
             # Verify session auth contains correct values for non-logged-in user
             sessauth = get_auth()
-            assert sessauth['user_id'] is None
-            assert sessauth['is_admin'] is False
-            assert sessauth['role'] is None
-            assert 'display_name' not in sessauth
-            assert 'class_id' not in sessauth
-            assert 'role_id' not in sessauth
-            assert 'auth_provider' not in sessauth
+            assert sessauth.user_id is None
+            assert sessauth.is_admin is False
+            assert sessauth.role is None
+            assert sessauth.display_name is None
+            assert sessauth.class_id is None
+            assert sessauth.role_id is None
+            assert sessauth.auth_provider is None
 
         assert message in response.text
 
@@ -112,19 +111,19 @@ def test_logout(client, auth):
     with client:
         auth.login()  # defaults to testuser (id 11)
         sessauth = get_auth()
-        assert sessauth['display_name'] == 'testuser'
+        assert sessauth.display_name == 'testuser'
 
         response = auth.logout()
         assert response.status_code == 302
         assert response.location == "/auth/login"
 
         sessauth = get_auth()
-        assert sessauth['user_id'] is None
-        assert sessauth['is_admin'] is False
-        assert 'display_name' not in sessauth
-        assert 'class_id' not in sessauth
-        assert 'role_id' not in sessauth
-        assert 'auth_provider' not in sessauth
+        assert sessauth.user_id is None
+        assert sessauth.is_admin is False
+        assert sessauth.display_name is None
+        assert sessauth.class_id is None
+        assert sessauth.role_id is None
+        assert sessauth.auth_provider is None
 
         # Check if the user can access the login page and see the flashed message after logout
         response = client.get(response.location)