You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I used the GitHub search to find a similar question and didn't find it.
I searched in the documentation/README.
I already searched in Google "How to do X" and didn't find any information.
I already read and followed all the tutorial in the docs/README and didn't find an answer.
Commit to Help
I commit to help with one of those options 👆
Example Code
def set_auth_cookie(subject: str | Any, expires_delta: timedelta) -> Response:
access_token = create_access_token(subject, expires_delta)
response = JSONResponse(content={"message": "Login successful"})
# Note: The secure flag on cookies ensures they're only sent over encrypted HTTPS connections. For local development (HTTP) set it to False
response.set_cookie(
key="http_only_auth_cookie",
value=access_token,
httponly=True,
max_age=3600,
expires=3600,
samesite="lax",
secure=True,
domain=None,
)
return response
@router.post("/login/access-token")
def login_access_token(
session: SessionDep, form_data: Annotated[OAuth2PasswordRequestForm, Depends()]
) -> JSONResponse:
"""
OAuth2-compatible token login: get an access token for future requests (sent in an HTTP-only cookie)
"""
user = crud.authenticate(
session=session, email=form_data.username, password=form_data.password
)
if not user:
raise HTTPException(status_code=400, detail="Incorrect email or password")
elif not user.is_active:
raise HTTPException(status_code=400, detail="Inactive user")
access_token_expires = timedelta(minutes=settings.ACCESS_TOKEN_EXPIRE_MINUTES)
return security.set_auth_cookie(user.id, access_token_expires)
Description
I'm thinking about changing the authentication flow: use a cookie (with the httponly=True option) for authentication instead of sending the token in plain text. HTTP-only cookies can't be accessed by JavaScript, making them resistant to cross-site scripting (XSS) attacks. I believe this is a more secure approach, and I'm happy to implement the change, but since it would require modifying multiple files I wanted to discuss it first. I already have a POC version running locally. I copied the main backend code changes above.
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
-
First Check
Commit to Help
Example Code
Description
I'm thinking about changing the authentication flow: use a cookie (with the httponly=True option) for authentication instead of sending the token in plain text. HTTP-only cookies can't be accessed by JavaScript, making them resistant to cross-site scripting (XSS) attacks. I believe this is a more secure approach, and I'm happy to implement the change, but since it would require modifying multiple files I wanted to discuss it first. I already have a POC version running locally. I copied the main backend code changes above.
Operating System
Linux
Operating System Details
Ubuntu
Python Version
Python 3.10.12
Additional Context
No response
Beta Was this translation helpful? Give feedback.
All reactions